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To  ensure  confidentiality  with  respect  to  medical  records  and  health  care- 
related  information,  and  for  other  purposes. 


IN  THE  SENATE  OF  THE  UNITED  STATES  ^ 

March  10,  1999 

Mr.  Jeffords  (for  himself  and  Mr.  Dodd)  introduced  the  following  bill; 
which  was  read  twice  and  referred  to  the  Committee  on  Health,  Edu- 
cation, Labor,  and  Pensions 


A  BILL 

To  ensure  confidentiality  with  respect  to  medical  records 
and  health  care-related  information,  and  for  other  purposes. 

1  Be  it  enacted  hy  the  Senate  and  House  of  Represent a- 

2  tives  of  the  United  States  of  America  in  Congress  assembled, 

3  SECTION  1.  SHORT  TITLE;  TABLE  OF  CONTENTS. 

4  (a)  Short  Title. — This  Act  may  be  cited  as  the 

5  "Health  Care  Personal  Information  Nondisclosure  Act  of 

6  1999"  or  the  "Health  Care  PIN  Act". 

7  (b)  Table  op  Contents. — The  table  of  contents  for 

8  this  Act  is  as  follows: 

Sec.  1.  Short  title;  table  of  contents. 

Sec.  2.  Findings. 

Sec.  3.  Purposes. 

Sec.  4.  Definitions. 
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TITLE  I— INDIVIDUAL'S  RIGHTS 

Subtitle  A — Review  of  Protected  Health  Information  by  Subjects  of  the 

Information 

Sec.  101.  Inspection  and  copying  of  protected  health  information. 
Sec.  102.  Amendment  of  protected  health  information. 
Sec.  103.  Notice  of  confidentiality  practices. 

Subtitle  B — Establishment  of  Safeguards 

Sec.  111.  Establishment  of  safeguards. 
Sec.  112.  Accounting  for  disclosures. 

TITLE  II— RESTRICTIONS  ON  USE  AND  DISCLOSURE 
Sec.  201.  General  rules  regarding  use  and  disclosure. 

Sec.  202.  Procurement  of  authorizations  for  disclosure  of  protected  health  in- 
formation for  treatment,  payment,  and  health  care  operations. 

Sec.  203.  Authorizations  for  disclosure  of  protected  health  information  other 
than  for  treatment,  payment,  or  health  care  operations. 

Sec.  204.  Next  of  kin  and  directory  hiformation. 

Sec.  205.  Emergency  circumstances. 

Sec.  206.  Oversight. 

Sec.  207.  Public  health. 

Sec.  208.  Health  research. 

Sec.  209.  Disclosure  in  civil,  judicial,  and  administrative  procedures. 
Sec.  210.  Disclosure  for  law  enforcement  purposes. 

Sec.  211.  Disclosures   for  postmarketing  adverse   experience   reporting  for 

human  drug  and  licensed  biological  products. 
Sec.  212.  Payment  card  and  electronic  payment  transaction. 
Sec.  213.  Standards  for  electronic  disclosures. 
Sec.  214.  Individual  representatives. 
Sec.  215.  Limited  liability  for  law  enforcement  officers. 
Sec.  216.  No  liability  for  permissible  disclosures. 

TITLE  III— SANCTIONS 

Subtitle  A — Criminal  Provisions 

Sec.  301.  Wrongful  disclosure  of  protected  health  information. 
Sec.  302.  Debarment  for  crimes. 

Subtitle  B — Civil  Sanctions 

Sec.  311.  Civil  penalty. 

Sec.  312.  Procedures  for  imposition  of  penalties. 

Sec.  313.  Report  on  use  of  existing  enforcement  mechanisms. 

Sec.  314.  Civil  action  by  individuals. 

TITLE  IV— MISCELLANEOUS 

Sec.  401.  Relationship  to  other  laws. 
Sec.  402.  Effective  date. 

1  SEC.  2.  FINDINGS. 

2  The  Congress  finds  that — 
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1  (1)  individuals  have  a  right  of  confidentiahty 

2  with  respect  to  their  personal  health  information  and 

3  records; 

4  (2)  with  respect  to  information  about  medical 

5  care  and  health  status,  the  traditional  right  of  con- 

6  fidentiality  is  at  risk; 

7  (3)  an  erosion  of  the  right  of  confidentiality 

8  may  reduce  the  willingness  of  patients  to  confide  in 

9  physicians  and  other  practitioners,  thus  jeopardizing 

10  quality  health  care; 

11  (4)  an  individual's  confidentiahty  right  means 

12  that  an  individual's  consent  is  needed  to  disclose  his 

13  or  her  protected  health  information,  except  in  rare 

14  and  limited  circumstances  required  by  the  public  in- 

15  terest; 

16  (5)  any  disclosure  of  protected  health  informa- 

17  tion  should  be  limited  to  that  information  or  portion 

18  of  the  medical  record  necessary  to  fulfill  the  purpose 

19  of  the  disclosure; 

20  (6)  incentives  need  to  be  created  to  use  non- 
21  identifiable  health  information  where  appropriate; 

22  (7)  the  availability  of  timely  and  accurate  per- 

23  sonal  health  data  for  the  delivery  of  health  care  serv- 

24  ices  throughout  the  Nation  is  needed; 
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1  (8)  personal  health  care  data  may  be  essential 

2  for  selected  types  of  medical  research; 

3  (9)  pubhc  health  uses  of  personal  health  data 

4  are  critical  to  both  personal  health  as  well  as  public 

5  health;  and 

6  (10)  confidentiality  of  an  individual's  health  in- 

7  formation  must  be  assured  without  jeopardizing  the 

8  pursuit  of  clinical  and  epidemiological  research  un- 

9  dertaken  to  improve  health  care  and  health  outcomes 

10  and  to  assure  the  quality  and  efficiency  of  health 

1 1  care. 

12  SEC.  3.  PURPOSES. 

13  The  purpose  of  this  Act  is  to — 

14  (1)  establish  strong  and  effective  mechanisms 

15  to  protect  against  the  unauthorized  and  inappropri- 

16  ate  use  of  protected  health  information  that  is  cre- 

17  ated  or  maintained  as  part  of  health  care  treatment, 

18  diagnosis,  enrollment,  payment,  plan  administration, 

19  testing,  or  research  processes; 

20  (2)  promote  the  efficiency  and  security  of  the 

21  health  information  infrastructure  so  that  members 

22  of  the  health  care  community  may  more  effectively 

23  exchange  and  transfer  health  information  in  a  man- 

24  ner  that  will  ensure  the  confidentiality  of  protected 
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1  health  information  without  impeding  the  dehvery  of 

2  high  quahty  health  care; 

3  (3)  create  incentives  to  turn  personal  health  in- 

4  formation  into  nonidentifiable  health  information  for 

5  oversight,  health  research,  pubhc  health,  law  en- 

6  forcement,  judicial,   and  administrative  purposes, 

7  where  appropriate;  and 

8  (4)  estabhsh  strong  and  effective  remedies  for 

9  violations  of  this  Act. 

10  SEC.  4.  DEFINrnONS. 

11  As  used  in  this  Act: 

12  (1)  Accrediting  body. — The  term  "accredit- 

13  ing  body"  means  a  national  body,  committee,  organi- 

14  zation,  or  institution  (such  as  the  Joint  Commission 

15  on  Accreditation  of  Health  Care  Organizations  or 

16  the  National  Committee  for  Quality  Assurance)  that 

17  has  been  authorized  by  law  or  is  recognized  by  a 

18  health  care  regulating  authority  as  an  accrediting 

19  entity  or  any  other  entity  that  has  been  similarly  au- 

20  thorized  or  recognized  by  law  to  perform  specific  ac- 

21  creditation,  licensing  or  credentialing  activities. 

22  (2)  Agent. — The  term  "agent"  means  a  person 

23  who  represents  and  acts  for  another  under  the  con- 

24  tract  or  relation  of  agency,  or  whose  function  is  to 

25  bring  about,  modify,  affect,  accept  performance  of. 
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1  or  terminate  contractual  obligations  between  the 

2  principal  and  a  third  person,  including  a  contractor. 

3  (3)  Anonymous  link. — 

4  (A)  In  general. — The  term  "anonymous 

5  Hnk"  means  a  number  assigned  to  nonidentifi- 

6  able  health  information  which,  by  itself,  con- 

7  tains  no  information  about  an  individual,  but 

8  which,  under  specific,  controlled  conditions,  can 

9  be  used  to  link  to  additional  health  information 

10  about  the  same  individual  which  may  be  used  to 

1 1  identify  that  individual. 

12  (B)  Disclosure. — ^Any  subsequent  disclo- 

13  sure  of  an  anonymous  link  with  any  information 

14  which,  together  with  information  previously  dis- 

15  closed  with  the  same  Hnk  might  reasonably  be 

16  used  to  identify  an  individual,  shall  be  consid- 

17  ered  to  be  a  disclosure  of  protected  health  infor- 

18  mation.  Such  a  disclosure  shall  convert  any  pre- 

19  viously  disclosed,   nonidentifiable  information 

20  with  the  same  link  into  protected  health  infor- 

21  mation. 

22  (4)  Common  rule. — The  term  "common  rule" 

23  means  the  Federal  policy  for  the  protection  of 

24  human  subjects  from  research  risks  originally  pub- 

25  lished  as  56  Federal  Register  28.012  (et  seq.)  (June 
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1  18,  1991)  as  adopted  and  implemented  by  a  Federal 

2  department  or  agency. 

3  (5)  Disclose. — The  term  "disclose"  means  to 

4  release,  transfer,  provide  access  to,  or  otherwise  di- 

5  vulge  protected  health  information  to  any  person 

6  other  than  the  individual  who  is  the  subject  of  such 

7  information.  Such  term  includes  the  initial  disclosure 

8  and  any  subsequent  disclosures  of  protected  health 

9  information. 

10  (6)  Employer. — The  term  "employer"  has  the 

11  meaning  given  such  term  under  section  3(5)  of  the 

12  Employee  Retirement  Income  Security  Act  of  1974 

13  (29  U.S.C.  1002(5)),  except  that  such  term  shall  in- 

14  elude  only  employers  of  two  or  more  employees. 

15  (7)  Health  care. — The  term  "health  care" 

16  means — 

17  (A)  preventive,  diagnostic,  therapeutic,  re- 

18  habilitative,  maintenance,  or  palhative  care,  in- 

19  eluding  appropriate  assistance  Avith  disease  or 

20  symptom  management  and  maintenance,  coun- 

21  seling,  service,  or  procedure — 

22  (i)  with  respect  to  the  physical  or 

23  mental  condition  of  an  individual;  or 

24  (ii)  affecting  the  structure  or  function 

25  of  the  human  body  or  any  part  of  the 
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1  human  body,  including  the  banking  of 

2  blood,  sperm,  organs,  or  any  other  tissue; 

3  or 

4  (B)  pursuant  to  a  prescription  or  medical 

5  order  any  sale  or  dispensing  of  a  drug,  device, 

6  equipment,  or  other  health  care  related  item  to 

7  an  individual,  or  for  the  use  of  an  individual. 

8  (8)  Health  caee  operations. — The  term 

9  "health  care  operations"  means  services  provided  by 

10  or  on  behalf  of  a  health  plan  or  health  care  provider 

11  for  the  purpose  of  carrying  out  the  management 

12  functions  of  a  health  care  provider  or  health  plan,  or 

13  implementing  the  terms  of  a  contract  for  health  plan 

14  benefits.  Such  term  means — 

15  (A)  conducting  quality  assurance  activities 

16  or  outcomes  assessments; 

17  (B)  reviewing  the  competence  or  qualifica- 

18  tions  of  health  care  professionals; 

19  (C)  performing  accreditation,  licensing,  or 

20  credentialing  activities; 

21  (D)   analysis  of  health  plan  claims  or 

22  health  care  records  data; 

23  (E)  evaluating  health  plan  and  provider 

24  performance; 
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1  (F)     carrying    out    utilization  review, 

2  precertification  or  preauthorization  of  services; 

3  (G)  underwriting  or  experience  rating  of 

4  health  plans; 

5  (H)  conducting  or  arranging  for  auditing 

6  services;  or 

7  (I)  such  other  services  as  the  Secretary  de- 

8  termines  appropriate. 

9  (9)    Health    care    provider. — The  term 

10  ''health  care  provider"  means  a  person,  who  with  re- 

1 1  spect  to  a  specific  item  of  protected  health  informa- 

12  tion,  receives,  creates,  uses,  maintains,  or  discloses 

13  the  information  while  acting  in  whole  or  in  part  in 

14  the  capacity  of — 

15  (A)  a  person  who  is  hcensed,  certified,  reg- 

16  istered,  or  otherwise  authorized  by  Federal  or 

17  State  law  to  provide  an  item  or  service  that 

18  constitutes  health  care  in  the  ordinary  course  of 

19  business,  or  practice  of  a  profession; 

20  (B)  a  Federal,  State,  or  employer  spon- 

21  sored  program  that  directly  provides  items  or 

22  services  that  constitute  health  care  to  bene- 

23  ficiaries;  or 
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1  (C)  an  officer,  employee,  or  agent  of  a  per- 

2  son  described  in  subparagraph  (A)  or  (B)  that 

3  is  engaged  in  the  provision  of  health  care. 

4  (10)  Health  or  life  insurer. — The  term 

5  "health  or  life  insurer"  means  a  health  insurance 

6  issuer  as  defined  in  section  9805(b)(2)  of  the  Inter- 

7  nal  Revenue  Code  of  1986  or  a  life  insurance  com- 

8  pany  as  defined  in  section  816  of  such  Code. 

9  (11)  Health  oversight  agency. — The  term 

10  "health  oversight  agency"  means  a  person  who,  with 

1 1  respect  to  a  specific  item  of  protected  health  infor- 

12  mation,  receives,  creates,  uses,  maintains,  or  dis- 

13  closes  the  information  while  acting  in  whole  or  in 

14  part  in  the  capacity  of — 

15  (A)  a  person  who  performs  or  oversees  the 

16  performance  of  an  assessment,  evaluation,  de- 

17  termination,  or  investigation,  relating  to  the  li- 

18  censing,  accreditation,  or  credentialing  of  health 

19  care  providers;  or 

20  (B)  a  person  who — 

21  (i)  performs  or  oversees  the  perform- 

22  ance  of  an  audit,  assessment,  evaluation, 

23  determination,  or  investigation  relating  to 

24  the  effectiveness  of,  compliance  with,  or 

25  apphcability  of,  legal,  fiscal,  medical,  or 
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1  scientific  standards  or  aspects  of  perform- 

2  ance  related  to  the  delivery  of,  or  payment 

3  for,  health  care;  and 

4  (ii)  is  a  pubHc  agency,  acting  on  be- 

5  half  of  a  public  agency,  acting  pursuant  to 

6  a  requirement  of  a  public  agency,  or  carry- 

7  ing  out  activities  under  a  Federal  or  State 

8  law  governing  the  assessment,  evaluation, 

9  determination,  investigation,  or  prosecution 

10  described  in  subparagraph  (A). 

11  (12)  Health  plan. — The  term  "health  plan" 

12  means  any  health  insurance  plan,  including  any  hos- 

13  pital  or  medical  service  plan,  dental  or  other  health 

14  service  plan  or  health  maintenance  organization 

15  plan,  provider  sponsored  organization,  or  other  pro- 

16  gram  providing  or  arranging  for  the  provision  of 

17  health  benefits.  Such  term  includes  employee  welfare 

18  benefits  plans  and  group  health  plans  as  defined  in 

19  sections  3  and  607  of  the  Employee  Retirement  In- 

20  come  Security  Act  of  1974  (29  U.S.C.  1002  and 

21  1167). 

22  (13)  Health  researcher. — The  term  "health 

23  researcher"  means  a  person,  or  an  officer,  employee 

24  or  independent  contractor  of  a  person,  who  receives 

25  protected  health  information  as  part  of  a  systematic 
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1  investigation,  testing;  or  evaluation  designed  to  de- 

2  velop  or  contribute  to  generalized  scientific  and  clini- 

3  cal  knowledge. 

4  (14)  Individual  representative. — The  term 

5  "individual  representative"  means  a  person  who  is 

6  authorized  by  law  (based  on  grounds  other  than  the 

7  individual  being  a  minor),  or  by  an  instrument  rec- 

8  ognized  under  law,  to  act  as  an  agent,  attorney, 

9  proxy,  or  other  legal  representative  of  a  protected  in- 

10  dividual.  Such  term  includes  a  health  care  power  of 

1 1  attorney. 

12  (15)   Institutional   review  board. — The 

13  term  "institutional  review  board"  means  a  review 

14  panel,  that  is  generally  associated  with  a  particular 

15  university  or  other  research  institution,  that  is  re- 

16  sponsible  for  implementing  Federal  human  subject 

17  protection  requirements  for  research  conducted  at  or 

18  supported  by  the  university  or  institution  involved. 

19  (16)  Law  enforcement  inquiry. — The  term 

20  "law  enforcement  inquiry"  means  a  lawful  investiga- 

21  tion  conducted  by  an  appropriate  government  agency 

22  or  official  inquiring  into  a  violation  of,  or  failure  to 

23  comply  with,  any  criminal  or  civil  statute  or  any  reg- 

24  ulation,  rule,  or  order  issued  pursuant  to  such  a 

25  statute. 
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1  (17)  Network  plan. — The  term  "network 

2  plan"  means  health  care  coverage  provided  under  a 

3  health  plan  under  which  the  financing  and  delivery 

4  of  health  care  are  provided,  in  whole  or  in  part, 

5  through  a  defined  set  of  health  care  providers  under 

6  contract  with  the  health  plan. 

7  (18)     NONIDENTIPIABLE     HEALTH  INPORMA- 

8  TION. — The  term  "nonidentifiable  health  informa- 

9  tion"  means  any  information  that  would  otherwise 

10  be  protected  health  information  except  that  such  in- 

1 1  formation  does  not  directly  reveal  the  identity  of  the 

12  individual  whose  health  or  health  care  is  the  subject 

13  of  the  information  and  there  is  no  reasonable  basis 

14  to  believe  that  such  information  could  be  used,  either 

15  alone  or  with  other  information  that  is,  or  should 

16  reasonably  be  known  to  be,  available  to  predictable 

17  recipients  of  such  information,  to  reveal  the  identity 

18  of  that  individual. 

19  (19)  Originating  provider. — The  term  "orig- 

20  inating  provider"  means  a  health  care  provider  who 

21  creates  or  originates  medical  information  that  is  or 

22  that  becomes  protected  health  information. 

23  (20)     Payment. — The     term  "payment" 

24  means — 

25  (A)  the  activities  undertaken  by — 
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1  (i)  or  on  behalf  of  a  health  plan  to  de- 

2  termine   its   responsibility   for  coverage 

3  under  the  plan  and  the  actual  payment 

4  under  such  plan;  and 

5  (ii)  a  health  care  provider  to  obtain 

6  payment  for  items  or  services  provided 

7  under  a  health  plan  or  provided  based  on 

8  a  determination  by  the  health  plan  of  re- 

9  sponsibility  for  coverage  under  the  plan; 

10  and 

11  (B)  activities  undertaken  as  described  in 

12  subparagraph  (A)  including — 

13  (i)  billing,  claims  management,  medi- 

14  cal  data  processing  or  other  administrative 

15  services; 

16  (ii)  determinations  of  coverage  or  ad- 

17  judication  of  health  benefit  claims;  and 

18  (iii)  review  of  health  care  services  with 

19  respect   to    medical    necessity,  coverage 

20  under  a  health  plan,  appropriateness  of 

21  care,  or  justification  of  charges. 

22  (21)  Person. — The  term  "person"  means  a 

23  government,  governmental  subdivision,  agency  or  au- 

24  thority;   corporation;   company;   association;  firm; 

25  partnership;  society;  estate;  trust;  joint  venture;  indi- 
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1  vidual;  individual  representative;  tribal  government; 

2  and  any  other  legal  entity. 

3  (22)  Protected  health  information. — The 

4  term  "protected  health  information"  means  any  in- 

5  formation    (including    demographic  information) 

6  whether  or  not  recorded  in  any  form  or  medium — 

7  (A)  that  relates  to  the  past,  present  or 

8  future— 

9  (i)  physical  or  mental  health  or  condi- 

10  tion  of  an  individual  (including  the  condi- 

11  tion  or  other  attributes  of  individual  cells 

12  or  their  components); 

13  (ii)  provision  of  health  care  to  an  indi- 

14  vidual;  or 

15  (iii)   payment  for  the  provision  of 

16  health  care  to  an  individual; 

17  (B)  that  is  created  or  received  by  a  health 

18  care  provider,  health  plan,  health  researcher, 

19  health  oversight  agency,  public  health  authority, 

20  employer,  law  enforcement  official,  health  or  hfe 

21  insurer,  school  or  university;  and 

22  (C)  that  is  not  nonidentifiable  health  infor- 

23  mation. 

24  (23)  Public  health  authority. — The  term 

25  "public  health  authority"  means  an  authority  or  in- 
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1  strumentality  of  the  United  States,  a  tribal  govern- 

2  ment,  a  State,  or  a  political  subdivision  of  a  State 

3  that  is — 

4  (A)  primarily  responsible  for  public  health 

5  matters;  and 

6  (B)  primarily  engaged  in  activities  such  as 

7  injury  reporting,  public  health  surveillance,  and 

8  public  health  investigation  or  intervention. 

9  (24)    School   or   university. — The  term 

10  ''school  or  university"  means  an  institution  or  place 

11  for  instruction  or  education,  including  an  elementary 

12  school,  secondary  school,  or  institution  of  higher 

13  learning,  a  college,  or  an  assemblage  of  colleges 

14  united  under  one  corporate  organization  or  govern- 

15  ment. 

16  (25)    Secretary. — The    term  "Secretary" 

17  means  the  Secretary  of  Health  and  Human  Services. 

18  (26)  State.— The  term  "State"  includes  the 

19  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 

20  lands,  Guam,  American  Samoa,  and  the  Northern 

21  Mariana  Islands. 

22  (27)    Treatment. — The    term  "treatment" 

23  means  the  provision  of  health  care  by,  or  the  coordi- 

24  nation  of  health  care  among,  health  care  providers, 

25  or  the  referral  of  a  patient  from  one  provider  to  an- 
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1  other,  or  coordination  of  health  care  or  other  serv- 

2  ices  among  health  care  providers  and  third  parties 

3  authorized  by  the  health  plan  or  the  plan  member. 

4  (28)  Writing. — The  term  "writing"  means 

5  writing  in  either  a  paper-based  or  computer-based 

6  form,  including  electronic  signatures. 

7  TITLE  I— INDIVIDUAL'S  RIGHTS 

8  Subtitle  A — Review  of  Protected 

9  Health  Information  by  Subjects 

10  of  the  Information 

11  SEC.   101.  INSPECTION  AND  COPYING   OF  PROTECTED 

12  HEALTH  INFORMATION. 

13  (a)  In  General. — ^At  the  request  of  an  individual 

14  and  except  as  provided  in  subsection  (b),  a  health  care 

15  provider,  health  plan,  employer,  health  or  hfe  insurer, 

16  school,  or  university  shall  permit  an  individual  who  is  the 

17  subject  of  protected  health  information  or  the  individual's 

18  designee,  to  inspect  and  copy  protected  health  information 

19  concerning  the  individual,  including  records  created  under 

20  sections  102  and  112,  that  such  entity  maintains.  The  en- 

21  tity  may  set  forth  appropriate  procedures  to  be  followed 

22  for  such  inspection  or  copying  and  may  require  an  individ- 

23  ual  to  pay  reasonable  costs  associated  with  such  inspection 

24  or  copying. 
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1  (b)  Exceptions. — Unless  ordered  by  a  court  of  com- 

2  petent  jurisdiction,  an  entity  described  in  subsection  (a) 

3  is  not  required  to  permit  the  inspection  or  copying  of  pro- 

4  tected  health  information  if  any  of  the  following  conditions 

5  are  met: 


6  (1)  Endangerment  to  life  or  safety. — 

7  The  entity  determines  that  the  disclosure  of  the  in- 

8  formation  could  reasonably  be  expected  to  endanger 

9  the  life  or  physical  safety  of,  or  cause  substantial 

10  mental  harm  to,  the  individual  who  is  the  subject  of 

1 1  the  record. 

12  (2)  Confidential  source. — The  information 

13  identifies,  or  could  reasonably  lead  to  the  identifica- 

14  tion  of,  a  person  who  provided  information  under  a 

15  promise  of  confidentiality  concerning  the  individual 

16  who  is  the  subject  of  the  information. 

17  (3)  Information  compiled  in  anticipation 

18  of    litigation. — The    information    is  compiled 

19  principally — 

20  (A)  in  the  reasonable  anticipation  of  a 

21  civil,  criminal,  or  administrative  action  or  pro- 

22  ceeding;  or 

23  (B)  for  use  in  such  action  or  proceeding. 

24  (4)  Research  purposes. — The  information 

25  was  collected  for  a  research  project  monitored  by  an 
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1  institutional  review  board,  such  project  is  not  com- 

2  plete,  and  the  researcher  reasonably  believes  that  ac- 

3  cess  would  harm  the  conduct  of  the  research  or  in- 

4  validate  or  undermine  the  validity  of  the  research. 

5  (c)  Denial  of  a  Request  for  Inspection  or 

6  Copying. — If  an  entity  described  in  subsection  (a)  denies 

7  a  request  for  inspection  or  copying  pursuant  to  subsection 

8  (b),  the  entity  shall  inform  the  individual  in  writing  of — , 

9  (1)  the  reasons  for  the  denial  of  the  request  for 

10  inspection  or  copying; 

11  (2)  any  procedures  for  further  review  of  the  de- 

12  nial;  and 

13  (3)  the  individual's  right  to  file  with  the  entity 

14  a  concise  statement  setting  forth  the  request  for  in- 

15  spection  or  copying. 

16  (d)  Statement  Regarding  Request. — If  an  indi- 

17  vidual  has  filed  a  statement  under  subsection  (c)(3),  the 

18  entity  in  any  subsequent  disclosure  of  the  portion  of  the 

19  information  requested  under  subsection  (a)  shall  include — 

20  (1)  a  copy  of  the  individual's  statement;  and 

21  (2)  a  concise  statement  of  the  reasons  for  deny- 

22  ing  the  request  for  inspection  or  copying. 

23  (e)  Inspection  and  Copying  of  Segregable  Por- 

24  TION. — ^An  entity  described  in  subsection  (a)  shall  permit 

25  the  inspection  and  copying  under  subsection  (a)  of  any 
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1  reasonably  segregable  portion  of  a  record  after  deletion  of 

2  any  portion  that  is  exempt  under  subsection  (b). 

3  (f)  Deadline. — 

4  (1)  In  general. — Except  as  provided  in  para- 

5  graph  (2),  an  entity  described  in  subsection  (a)  shall 

6  comply  with  or  deny,  in  accordance  with  subsection 

7  (c)^  a  request  for  inspection  or  copying  of  protected 

8  health  information  under  this  section  not  later  than 

9  30  days  after  the  date  on  which  the  entity  receives 

10  the  request. 

11  (2)  Off  premises. — In  the  case  of  a  request 

12  described  in  paragraph  (1),  if  the  information  in- 

13  volved  is  in  paper  form,  located  off  the  premises  of 

14  the  entity  involved,  and  not  readily  available,  the  en- 

15  tity  shall  have  60  days  to  comply  with  or  deny  such 

16  request. 

17  (g)  Rules  Governing  Agents. — ^An  agent  of  an  en- 

18  tity  described  in  subsection  (a)  shall  not  be  required  to 

19  provide  for  the  inspection  and  copying  of  protected  health 

20  information,  except  where — 

21  (1)  the  protected  health  information  is  retained 

22  by  the  agent;  and 

23  (2)  the  agent  has  received  in  writing  a  request 

24  from  the  entity  involved  to  fulfill  the  requirements  of 

25  this  section; 
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1  at  which  time  such  information  shall  be  provided  to  the 

2  requesting  entity.  Such  requesting  entity  shall  comply  with 

3  subsection  (f)  with  respect  to  any  such  information. 

4  (h)  Rule  of  Construction. — This  section  shall  not 

5  be  construed  to  require  an  entity  described  in  subsection 

6  (a)  to  conduct  a  formal,  informal,  or  other  hearing  or  pro- 

7  ceeding  concerning  a  request  for  inspection  or  copying  of 

8  protected  health  information. 

9  SEC.  102.  AMENDMENT  OF  PROTECTED  HEALTH  INFORMA- 


10  TION. 

1 1  (a)  Requirements. — 

12  (1)  In  general. — Except  as  provided  in  sub- 

13  sections  (b)  and  (e),  not  later  than  45  days  after  the 

14  date  on  which  a  health  care  provider,  health  plan, 

15  employer,  health  or  life  insurer,  school,  or  university 

16  receives  from  an  individual  a  request  in  writing  to 

17  amend  information  that  meets  the  requirements  of 

18  paragraph  (2),  such  entity  shall — 

19  (A)  make  the  amendment  requested; 

20  (B)  inform  the  individual  of  the  amend- 

21  ment  that  has  been  made;  and 

22  (C)  make  reasonable  efforts  to  inform  any 

23  person  to  whom  the  unamended  portion  of  the 

24  information  was  previously  disclosed,  of  any 

25  nontechnical  amendment  that  has  been  made. 
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1  (2)  Information. — The  requirements  of  this 

2  para^aph  are  that — 

3  (A)  the  information  that  is  the  subject  of 

4  the  request  is  in  fact  inaccurate;  and 

5  (B)  the  entity  receiving  the  request  created 

6  the  information  that  is  at  issue. 

7  (b)  Refusal  to  Amend. — If  an  entity  described  in 

8  subsection  (a)  refuses  to  make  the  amendment  requested 

9  under  such  subsection,  the  entity  shall  inform  the  individ- 

10  ual  in  writing  of — 

11  (1)  the  reasons  for  the  refusal  to  make  the 

12  amendment; 

13  (2)  any  procedures  for  further  review  of  the  re- 

14  fusal;  and 

15  (3)  the  individual's  right  to  file  with  the  entity 

16  a  concise  statement  setting  forth  the  requested 

17  amendment  and  the  individual's  reasons  for  dis- 

18  agreeing  with  the  refusal. 

19  (c)  Statement  of  Disagreement. — If  an  individ- 

20  ual  has  filed  a  statement  of  disagreement  under  subsection 

21  (b)(3),  the  entity  involved,  in  any  subsequent  disclosure 

22  of  the  disputed  portion  of  the  information — 

23  (1)  shall  include  a  copy  of  the  individual's 

24  statement;  and 
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1  (2)  may  include  a  concise  statement  of  the  rea- 

2  sons  for  not  making  the  requested  amendment. 

3  (d)  Rules  Governing  Agents. — The  agent  of  an 

4  entity  described  in  subsection  (a)  shall  not  be  required  to 

5  make  amendments  to  protected  health  information,  except 

6  where — 

7  (1)  the  protected  health  information  is  retained 

8  by  the  agent;  and 

9  (2)  the  agent  has  been  asked  by  such  entity  to 

10  fulfill  the  requirements  of  this  section. 

11  If  the  agent  is  required  to  comply  with  this  section  as  pro- 

12  vided  for  in  paragraph  (2),  such  agent  shall  be  subject 

13  to  the  45-day  deadline  described  in  subsection  (a). 

14  (e)  Extension  for  Paper  Records  Off  Prem- 

15  ISES. — In  the  case  of  a  request  described  in  subsection  (a), 

16  if  the  information  involved  is  in  paper  form,  located  off 

17  the  premises  of  the  entity  involved,  and  not  readily  avail- 

18  able,  the  entity  shall  have  60  days  to  comply  with  or  deny 

19  such  request. 

20  (f)  Repeated  Requests  for  Amendments. — If  an 

21  entity  described  in  subsection  (a)  receives  a  request  for 

22  an  amendment  of  information  as  provided  for  in  such  sub- 

23  section  and  a  statement  of  disagreement  has  been  filed 

24  pursuant  to  subsection  (c),  the  entity  shall  inform  the  indi- 
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1  vidual  of  such  filing  and  shall  not  be  required  to  carry 

2  out  the  procedures  required  under  this  section. 

3  ig)  Rules  of  Construction. — This  section  shall 

4  not  be  construed  to — 

5  (1)  require  that  an  entity  described  in  sub- 

6  section  (a)  conduct  a  formal,  informal,  or  other 

7  hearing  or  proceeding  concerning  a  request  for  an 

8  amendment  to  protected  health  information; 

9  (2)  require  a  provider  to  amend  an  individual's 
10  record  as  to  the  type,  duration,  or  quality  of  treat- 

•  11  ment  the  individual  believes  he  or  she  should  have 

12  been  provided;  or 

13  (3)  require  any  deletion  or  alteration  of  the 

14  original  information, 

1 5  SEC.  103.  NOTICE  OF  CONFIDENTIALITY  PRACTICES. 

16  (a)  Preparation  of  Written  Notice. — health 


17  care  provider,  health  plan,  health  oversight  agency,  public 

18  health  authority,  employer,  health  or  life  insurer,  health 

19  researcher,  school,  or  university  shall  post  or  provide,  in 

20  writing  and  in  a  clear  and  conspicuous  manner,  notice  of 

21  the  entity's  confidentiality  practices,  that  shall  include — 


22  (1)  a  description  of  an  individual's  rights  with 

23  respect  to  protected  health  information; 

24  (2)  the  uses  and  disclosures  of  protected  health 

25  information  authorized  under  this  Act; 
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1  (3)  the  procedures  for  authorizing  disclosures  of 

2  protected  health  information  and  for  revoking  such 

3  authorizations; 

4  (4)  the  procedures  established  by  the  entity  for 

5  the  exercise  of  the  individual's  rights;  and 

6  (5)  the  right  to  obtain  a  copy  of  the  notice  of 

7  the  confidentiality  practices  required  under  this  Act. 

8  (b)  Model  Notice. — The  Secretary,  after  notice 

9  and  opportunity  for  public  comment,  shall  develop  and  dis- 

10  seminate  model  notices  of  confidentiahty  practices.  Use  of 

1 1  the  model  notice  shall  serve  as  an  absolute  defense  against 

12  claims  of  receiving  inappropriate  notice. 

13  Subtitle  B — Establishment  of 

14  Safeguards 

1 5  SEC.  111.  ESTABLISHMENT  OF  SAFEGUARDS. 

16  (a)  In  General. — health  care  provider,  health 

17  plan,  health  oversight  agency,  public  health  authority,  em- 

18  ployer,  health  or  life  insurer,  health  researcher,  law  en- 

19  forcement  official,  school,  or  university  shall  estabhsh  and 

20  maintain  appropriate  administrative,  technical,  and  phys- 

21  ical  safeguards  to  protect  the  confidentiality,  security,  ac- 

22  curacy,  and  integrity  of  protected  health  information  cre- 

23  ated,  received,  obtained,  maintained,  used,  transmitted,  or 

24  disposed  of  by  such  entity. 
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1  (b)  Regulations. — The  Secretary  shall  have  the  au- 

2  thority  to  promulgate  regulations  for  the  implementation 

3  of  subsection  (a). 

4  (c)  Rule  of  Construction. — Safeguards  to  protect 

5  the  security  of  protected  health  information  under  sub- 

6  section  (a)  shall  include  the  implementation  of  policies  or 

7  procedures  to  consider  whether  protected  health  informa- 

8  tion  is  essential  for  a  use  or  disclosure  undertaken  by  an 

9  entity  described  in  such  subsection. 

1 0  SEC.  112.  ACCOUNTING  FOR  DISCLOSURES. 


1 1  (a)  In  General. — 

12  (1)  Health  related  entities. — ^Except  as 

13  provided  in  paragraph  (3),  a  health  care  provider, 

14  health  plan,  health  oversight  agency,  public  health 

15  authority,  employer,  health  or  life  insurer,  health  re- 

16  searcher,  law  enforcement  official,  school,  or  univer- 

17  sity  shall  establish  and  maintain,  with  respect  to  any 

18  protected  health  information  disclosure,  a  record  of 

19  such  disclosure  in  accordance  with  regulations  issued 

20  by  the  Secretary. 

21  (2)  Agent. — Except  as  provided  in  paragraph 

22  (3),  an  agent  shall  maintain  a  record  of  its  disclo- 

23  sures  made  pursuant  to  sections  205  through  212. 

24  (3)  Exception. — record  of  disclosures  under 

25  this  subsection  is  not  required  with  respect  to  disclo- 
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1  sures  made  to  officers  or  employees  of  the  entity 

2  that  maintains  the  record  involved  who,  in  the  per- 

3  formance  of  their  duties,  have  a  need  for  the  pro- 

4  tected  health  information. 

5  (b)  Record  of  Disclosure. — record  established 

6  under  subsection  (a)  shall  be  maintained  for  not  less  than 

7  7  years. 

8  TITLE  II— RESTRICTIONS  ON 

9  USE  AND  DISCLOSURE 

10  SEC.  201.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

1 1  SURE. 

12  (a)  Prohibition. — 

13  (1)  General  rule. — health  care  provider, 

14  health  plan,  health  oversight  agency,  public  health 

15  authority,  employer,  health  or  life  insurer,  health  re- 

16  searcher,  law  enforcement  official,  school,  or  univer- 

17  sity  may  not  disclose  protected  health  information 

18  except  as  authorized  under  this  title. 

19  (2)  Rule  op  construction. — Disclosure  of 

20  health  information  in  the  form  of  nonidentifiable 

21  health  information  shall  not  be  construed  as  a  dis- 

22  closure  of  protected  health  information. 

23  (b)  Use  or  Disclosure  op  Protected  Health 

24  Inpormation  Within  an  Entity. — 
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1  (1)  In  general. — ^An  entity  described  in  sub- 

2  section  (a)  may  use  protected  health  information  or 

3  disclose  such  information  within  the  entity  if  such 

4  use  or  disclosure  is  made  pursuant  to  an  authoriza- 

5  tion  under  section  202  or  203  and  consistent  with 

6  the  limitations  under  subsection  (d)  on  the  scope  of 

7  disclosure. 

8  (2)  Agents. — Disclosure  to  agents  of  an  entity 

9  described  in  subsection  (a)  shall  be  considered  as  a 

10  disclosure  within  an  entity. 

1 1  (c)  Disclosure  by  Agents.— An  agent  who  receives 

12  protected  health  information  from  an  entity  described  in 

13  subsection  (a)  shall  be  subject  to  all  rules  of  disclosure 

14  and  safeguard  requirements  under  this  title. 

15  (d)  Scope  of  Disclosure. — Every  disclosure  of 

16  protected  health  information  by  an  entity  under  this  title 

17  shall  be  hmited  to  the  information  necessary  to  accomplish 

1 8  the  purpose  for  which  the  information  is  disclosed. 

19  (e)  No  General  Requirement  to  Disclose. — 

20  Nothing  in  this  title  permitting  the  disclosure  of  protected 

21  health  information  shall  be  construed  to  require  such  dis- 

22  closure. 

23  (f)  Identification  of  Disclosed  Information  as 

24  Protected  Information. — Except  as  otherwise  pro- 

25  vided  in  this  title,  protected  health  information  may  not 
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1  be  disclosed  unless  such  information  is  clearly  identified 

2  as  protected  health  information  that  is  subject  to  this  Act. 

3  ig)  Creation  op  Nonidentifiable  Informa- 

4  TION. — An  entity  described  in  subsection  (a)  may  disclose 

5  protected  health  information  to  an  employee  or  agent  of 

6  the  entity  for  purposes  of  creating  nonidentifiable  infor- 

7  mation,  if  the  entity  prohibits  the  employee  or  agent  of 

8  the  entity  from  using  or  disclosing  the  protected  health 

9  information  for  purposes  other  than  the  sole  purpose  of 

10  creating  nonidentifiable  information  as  specified  by  the  en- 

11  tity. 

12  (h)  Deemed  Disclosures  of  Protected  Health 

1 3  Information . — 

14  (1)  In  general. — Any  individual  or  entity  who 

15  manipulates  a  nonidentifiable  database  in  order  to 

16  identify  an  individual  shall  be  deemed  to  have  dis- 

17  closed  protected  health  information. 

18  (2)  Disclosure  or  transmission  of  an 

19  ANONYMOUS  LINK. — The  disclosure  or  transmission 

20  of  an  anonymous  link  with  any  information  which, 

21  together  with  information  previously  disclosed  with 

22  the  same  hnk,  might  reasonably  be  used  to  identify 

23  an  individual,  shall  be  deemed  to  be  a  disclosure  of 

24  protected  health  information.  Such  a  disclosure  shall 

25  have  the  effect  of  converting  any  previously  dis- 
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1  closed,  nonidentifiable  information  with  the  same 

2  hnk  into  the  protected  health  information. 

3  SEC.  202.  PROCUREMENT  OF  AUTHORIZATIONS  FOR  DIS- 

4  CLOSURE  OF  PROTECTED  HEALTH  INFORMA- 

5  TION    FOR    TREATMENT,    PAYMENT,  AND 

6  HEALTH  CARE  OPERATIONS. 

7  (a)  Requirements  Relating  to  Employers, 

8  Health  Plans,  Uninsured  Individuals,  and  Provid- 

9  ERS. — 

10  (1)  In  general. — To  meet  the  requirements 

11  relating  to  the  authorized  disclosure  of  protected 

12  health  information  under  section  201,  an  authoriza- 

13  tion  form  must  be  secured  for  each  individual  in 

14  connection  with  treatment,  payment  and  health  care 

15  operations. 

16  (2)  Consolidated  authorization. — single 

17  authorization  may  be  secured  for  each  individual  in 

18  connection  with  treatment,  payment,  and  health  care 

19  operations. 

20  (3)  Employers. — Every  employer  offering  a 

21  health  plan  to  its  employees  shall,  at  the  time  of, 

22  and  as  a  condition  of  enrollment  in  the  health  plan, 

23  obtain  a  signed,  written  authorization  that  is  a  legal, 

24  informed  authorization  concerning  the  use  and  dis- 

25  closure  of  protected  health  information  for  treat- 
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1  ment,  payment,  and  health  care  operations  with  re- 

2  spect  to  each  individual  who  is  eligible  to  receive 

3  care  under  the  health  plan. 

4  (4)  Health  plans. — Every  health  plan  offer- 

5  ing  enrollment  to  individual  or  non-employer  groups 

6  shall,  at  the  time  of,  and  as  a  condition  of  enroU- 

7  ment  in  the  health  plan,  obtain  a  signed,  written  au- 

8  thorization  that  is  a  legal,  informed  authorization 

9  concerning  the  use  and  disclosure  of  protected  health 

10  information  for  treatment,  payment,  and  health  care 

11  operations  with  respect  to  each  individual  who  is  eli- 

12  gible  to  receive  care  under  the  plan. 

13  (5)  Uninsured. — ^An  originating  provider  pro- 

14  viding  health  care  to  an  uninsured  individual,  shall 

15  obtain  a  signed,  written  authorization  that  is  a  legal, 

16  informed  authorization  concerning  the  use  and  dis- 

17  closure  of  protected  health  information,  in  providing 

18  health  care  or  arranging  for  health  care  from  other 

19  providers  or  seeking  payment  for  the  provision  of 

20  health  care  services. 

21  (6)  Providers. — Every  health  care  provider 

22  providing  health  care  to  an  individual  who  has  not 

23  given  an  authorization  under  paragraph  (3),  (4),  or 

24  (5),  shall,  at  the  time  of  providing  such  care,  obtain 

25  a  signed,  written  authorization  concerning  the  use 
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1  and  disclosure  of  protected  health  information  for 

2  treatment,  payment,  and  health  care  operations  with 

3  respect  to  such  individual.  Nothing  in  this  section 

4  shall  be  construed  to  require  that  a  health  care  pro- 

5  vider  secure  an  authorization  in  addition  to  an  au- 

6  thorization  secured  under  paragraph  (3),  (4),  or  (5). 

7  (b)  Requirements  for  Individual  Authoriza- 

8  TION. — To  be  valid,  an  authorization  to  disclose  protected 

9  health  information  shall — 

10  (1)  identify  the  individual  involved; 

11  (2)  describe  the  nature  of  the  health  care  infor- 

12  mation  to  be  disclosed; 

13  (3)  identify  the  type  of  person  to  whom  the  in- 

14  formation  is  to  be  disclosed; 

15  (4)  describe  the  purpose  of  the  disclosure,  in- 

16  eluding  whether  the  information  may  be  used  for 

17  disease  management  or  medication  compliance; 

18  (5)  be  subject  to  revocation  by  the  individual 

19  and  indicate  that  the  authorization  is  vahd  until  rev- 

20  ocation  by  the  individual;  and 

21  (6)(A)  be  either— 

22  (i)  in  writing,  dated,  and  signed  by  the  in- 

23  dividual;  or 
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1  (ii)  in  electronic  form,  dated  and  authenti- 

2  cated  by  the  individual  using  a  unique  identi- 

3  fier;  and 

4  (B)  not  have  been  revoked  under  paragraph  (c). 

5  (c)  Revocation  of  Authorization. — 

6  (1)  In  general. — ^An  individual  may  revoke  in 

7  writing  an  authorization  under  this  section  at  any 

8  time,  unless  the  disclosure  that  is  the  subject  of  the 

9  authorization  is  required  to  effectuate  payment  for 

10  health  care  that  has  been  provided  to  the  individual 

11  for  which  the  individual  has  not  agreed  to  assume 

12  personal  financial  responsibility. 

13  (2)  Exception  for  self-payment. — ^An  indi- 

14  vidual  may  revoke  a  prior  authorization  for  payment 

15  or  health  care  operations  described  in  paragraphs 

16  (1)  through  (6)  of  subsection  (a)  prior  to  a  single  or 

17  series  of  encounters  with  a  health  care  provider  if 

18  such  individual  has  agreed  to  assume  personal  finan- 

19  cial  responsibility  for  the  treatment. 

20  (3)  Health  plans. — ^With  respect  to  a  health 

21  plan,  the  authorization  of  an  individual  is  deemed  to 

22  be  revoked  at  the  time  of  the  cancellation  or  non-re- 

23  newal  of  enrollment  in  the  health  plan,  except  as 

24  may  be  necessary  to  complete  health  care  operations 


S  578  IS  -  5 


34 

1  and  payment  requirements  related  to  the  individual's 

2  period  of  enrollment. 

3  (4)  Actions. — ^An  individual  may  not  maintain 

4  an  action  against  a  person  for  disclosure  of  pro- 

5  tected  health  information  made  in  good  faith  reli- 

6  ance  on  the  individual's  authorization  at  the  time 

7  disclosure  was  made. 

8  (d)  Record  of  Individual's  Authorizations  and 

9  Revocations. — 

10  (1)  In  general. — Each  person  collecting  or 

1 1  storing  protected  health  information  shall  maintain 

12  a  record  for  a  period  of  7  years  of  each  authoriza- 

13  tion  of  an  individual  and  revocation  thereof. 

14  (2)  Rule  of  construction. — Records  of  au- 

15  thorizations  and  revocations  maintained  under  para- 

16  graph  (1)  shall  not  be  construed  to  be  protected 

17  health  information  under  this  Act. 

18  (e)  No  Waiver. —  Except  as  provided  for  in  this  Act, 

19  an  authorization  to  disclose  protected  health  information 

20  by  an  individual  shall  not  be  construed  as  a  waiver  of  any 

21  rights  that  the  individual  has  under  other  Federal  or  State 

22  laws,  the  rules  of  evidence,  or  common  law. 

23  (f)  Rule  of  Construction. — ^Authorizations  for 

24  the  disclosure  of  protected  health  information  for  treat- 

25  ment,  payment,  and  health  care  operations  shall  not  au- 
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1  thorize  the  disclosure  of  such  information  by  an  individual 

2  with  the  intent  to  sell,  transfer,  or  use  protected  health 

3  information  for  the  purpose  of  marketing  a  product  or 

4  service.  For  such  disclosures  a  separate  authorization  is 

5  required  under  section  203. 

6  SEC.  203.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 

7  TECTED  HEALTH  INFORMATION  OTHER  THAN 

8  FOR  TREATMENT,   PAYMENT,   OR  HEALTH 

9  CARE  OPERATIONS. 

10  (a)  Written  Authorizations. — health  care  pro- 

11  vider,  health  plan,  health  oversight  agency,  health  re- 

12  searcher,  public  health  authority,  law  enforcement  official, 

13  employer,  health  or  life  insurer,  school,  or  university  may 

14  disclose  protected  health  information,  for  purposes  other 

15  than  those  authorized  under  section  202,  pursuant  to  an 

16  authorization  executed  by  the  individual  who  is  the  subject 

17  of  the  information  that  meets  the  requirements  of  section 

18  202(b).  Such  an  authorization  shall  be  separate  from  an 

19  authorization  provided  under  section  202. 

20  (b)  Limitation  on  Authorizations. — ^An  entity 

21  described  in  section  202  may  not  condition  the  delivery 

22  of  treatment  or  payment  for  services  on  the  receipt  of  an 

23  authorization  described  in  this  section. 

24  (c)  Revocation  or  Amendment  of  Authoriza- 

25  TION. — 
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1  (1)  In  general. — ^An  individual  may  in  writing 

2  revoke  or  amend  an  authorization  described  in  sub- 

3  section  (a). 

4  (2)  Notice  of  revocation. — ^An  entity  de- 

5  scribed  in  subsection  (a)  that  discloses  protected 

6  health  information  pursuant  to  an  authorization  that 

7  has  been  revoked  under  paragraph  (1)  shall  not  be 

8  subject  to  any  hability  or  penalty  under  this  title  if 

9  that  entity  had  no  actual  or  constructive  notice  of 

10  the  revocation. 

11  (d)    Requirement    To    Release  Protected 

12  Health  Information  to  Coroners  and  Medical  Ex- 

13  AMINERS. — 

14  (1)  In  general. — ^When  a  Coroner  or  Medical 

15  Examiner  or  their  duly  appointed  deputies  seek  pro- 

16  tected  health  information  for  the  purpose  of  inquiry 

17  into  and  determination  of,  the  cause,  manner,  and 

18  circumstances  of  a  death,  the  health  care  provider, 

19  health  plan,  health  oversight  agency,  public  health 

20  authority,  employer,  health  or  life  insurer,  health  re- 

21  searcher,  law  enforcement  official,  school,  or  univer- 

22  sity  involved  shall  provide  the  protected  health  infor- 

23  mation  to  the  Coroner  or  Medical  Examiner  or  to 

24  the  duly  appointed  deputies  without  undue  delay. 
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1  (2)  Production  of  additional  informa- 

2  TION. — If  a  Coroner  or  Medical  Examiner  or  their 

3  duly  appointed  deputies  receives  health  information 

4  from  an  entity  referred  to  in  paragraph  (1),  such 

5  health  information  shall  remain  as  protected  health 

6  information  unless  the  health  information  is  at- 

7  tached  to  or  otherwise  made  a  part  of  a  Coroner's 

8  or  Medical  Examiner's  official  report,  in  which  case 

9  it  shall  no  longer  be  protected. 

10  (3)  Exemption. — Health  information  attached 

11  to  or  otherwise  made  a  part  of  a  Coroner's  or  Medi- 

12  cal  Examiner's  official  report,  shall  be  exempt  from 

13  the  provisions  of  this  Act  except  as  provided  for  in 

14  this  subsection. 

15  (4)  Reimbursement. — Coroner  or  Medical 

16  Examiner  may  require  a  person  to  reimburse  their 

17  Office  for  the  reasonable  costs  associated  with  such 

18  inspection  or  copying. 

19  (e)  Disclosure  for  Purpose  Only. — recipient 

20  of  information  pursuant  to  an  authorization  under  this 

21  section  may  use  or  disclose  such  information  solely  to 

22  carry  out  the  purpose  for  which  the  information  was  au- 

23  thorized  for  release. 

24  (f)  Model  Authorizations. — The  Secretary,  after 

25  notice  and  opportunity  for  public  comment,  shall  develop 
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1  and  disseminate  model  written  authorizations  of  the  type 

2  described  in  subsection  (a).  Any  authorization  obtained  on 

3  a  model  authorization  form  developed  by  the  Secretary 

4  shall  be  deemed  to  meet  the  authorization  requirements 

5  of  this  section. 

6  SEC.  204.  NEXT  OF  Km  AND  DIRECTORY  D»JFORMATION. 

7  (a)  Next  of  Kin. — health  care  provider,  or  a  per- 

8  son  who  receives  protected  health  information  under  sec- 

9  tion  205,  may  disclose  protected  health  information  re- 

10  garding  an  individual  to  the  individual's  next  of  kin,  an 

11  individual's  representative,  or  to  another  person  whom  the 

12  individual  has  identified,  if — 


13  (1)  the  individual  who  is  the  subject  of  the 

14  information — 

15  (A)  has  been  notified  of  the  individual's 

16  right  to  object  to  such  disclosure  and  the  indi- 

17  vidual  has  not  objected  to  the  disclosure;  or 

18  (B)  is  in  a  physical  or  mental  condition 

19  such  that  the  individual  is  not  capable  of  object- 

20  ing,  and  there  are  no  prior  indications  that  the 

21  individual  would  object; 

22  (2)  the  information  disclosed  relates  to  health 

23  care  currently  being  provided  to  that  individual;  or 
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1  (3)  the  disclosure  of  the  protected  health  infor- 

2  mation  is  consistent  with  good  medical  or  profes- 

3  sional  practice. 

4  (b)  Directory  Information. — 

5  (1)  Disclosure. — 

6  (A)  In  general. — Except  as  provided  in 

7  paragraph  (2),  an  entity  described  in  subsection 

8  (a)  may  disclose  the  information  described  in 

9  subparagraph  (B)  to  any  person  if  the  individ- 

10  ual  who  is  the  subject  of  the  information — 

11  (i)  has  been  notified  of  the  individ- 

12  ual's  right  to  object  and  the  individual  has 

13  not  objected  to  the  disclosure;  or 

14  (ii)  is  in  a  physical  or  mental  condi- 

15  tion  such  that  the  individual  is  not  capable 

16  of  objecting,  the  individual's  next  of  kin 

17  has  not  objected,  and  there  are  no  prior  in- 

18  dications  that  the  individual  would  object. 

19  (B)  Information. — Information  described 

20  in  this  subparagraph  is  information  that  con- 

21  sists  only  of  1  or  more  of  the  following  items: 

22  (i)  The  name  of  the  individual  who  is 

23  the  subject  of  the  information. 

24  (ii)  The  general  health  status  of  the 

25  individual,  described  as  critical,  poor,  fair. 
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1  stable,  or  satisfactory  or  in  terms  denoting 

2  similar  conditions. 

3  (iii)  The  location  of  the  individual  on 

4  premises  controlled  by  a  provider. 

5  (2)  Exception. — 

6  (A)     Location. — Paragraph  (l)(B)(iii) 

7  shall  not  apply  if  disclosure  of  the  location  of 

8  the  individual  would  reveal  specific  information 

9  about  the  physical  or  mental  condition  of  the 

10  individual,  unless  the  individual  expressly  au- 

11  thorizes  such  disclosure. 

12  (B)  Directory  or  next  of  kin  infor- 

13  mation. — disclosure  may  not  be  made  under 

14  this  section  if  the  health  care  provider  involved 

15  has  reason  to  believe  that  the  disclosure  of  di- 

16  rectory  or  next  of  kin  information  could  lead  to 

17  the  physical  or  mental  harm  of  the  individual, 

18  unless  the  individual  expressly  authorizes  such 

19  disclosure. 

20  (c)  Identification  of  Deceased  Individual. — 


21  An  entity  described  in  subsection  (a)  may  disclose  pro- 

22  tected  health  information  if  such  disclosure  is  necessary 

23  to  assist  in  the  identification  or  safe  handling  of  a  de-  | 

24  ceased  individual.  i 

25  (d)  Rights  of  Minors. — 

I 

t 
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1  (1)  Individuals  who  are  i8  or  legally  ca- 

2  PABLE. — In  the  case  of  an  individual — 

3  (A)  who  is  18  years  of  age  or  older,  all 

4  rights  of  the  individual  under  this  title  shall  be 

5  exercised  by  the  individual;  or 

6  (B)  who,  acting  alone,  can  obtain  a  type  of 

7  health  care  without  violating  any  applicable 

8  Federal  or  State  law,  and  who  has  sought  such 

9  care,  the  individual  shall  exercise  all  rights  of 

10  the  individual  under  this  title  with  respect  to 

11  protected  health  information  relating  to  such 

12  health  care. 

13  (2)  Individuals  under  is. — Except  as  pro- 

14  vided  in  paragraph  (1)(B),  in  the  case  of  an  individ- 

15  ual  who  is — 

16  (A)  under  14  years  of  age,  all  of  the  indi- 

17  vidual's  rights  under  this  title  shall  be  exercised 

18  through  the  parent  or  legal  guardian;  or 

19  (B)  at  least  14  but  under  18  years  of  age, 

20  the  rights  of  inspection  and  amendment,  and 

21  the  right  to  authorize  use  and  disclosure  of  pro- 

22  tected  health  information  of  the  individual  shall 

23  be  exercised  by  the  individual,  or  by  the  parent 

24  or  legal  guardian  of  the  individual. 
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1  SEC.  205.  EMERGENCY  CIRCUMSTANCES. 

2  Any  person  who  creates  or  receives  protected  health 

3  information  under  this  title  may  disclose  protected  health 

4  information  in  emergency  circumstances  when  necessary 

5  to  protect  the  health  or  safety  of  the  individual  who  is 

6  the  subject  of  such  information  from  serious,  imminent 

7  harm.  No  disclosure  made  in  the  good  faith  belief  that 

8  the  disclosure  was.  necessary  to  protect  the  health  or  safety 

9  or  an  individual  from  serious,  imminent  harm  shall  be  in 

10  violation  of,  or  punishable  under,  this  Act. 

1 1  SEC.  206.  OVERSIGHT. 

12  (a)  In  General. — ^A  health  care  provider,  health 

13  plan,  employer,  health  or  life  insurer,  law  enforcement  of- 

14  ficial,  school,  or  university  may  disclose  protected  health 

15  information  to  a  health  oversight  agency  for  purposes  of 

16  an  oversight  function  authorized  by  law. 

17  (b)  Public  Health  and  Health  Research. — ^A 

18  public  health  authority  or  health  researcher  may  disclose 

19  protected  health  information  to  a  health  oversight  agency 

20  for  purposes  of  an  oversight  function  of  the  pubHc  health 

21  authority  or  health  researcher  authorized  by  law. 

22  (c)  Authorization  by  a  Supervisor. — For  pur- 
23 '  poses  of  this  section,  the  individual  with  authority  to  au- 

24  thorize  the  oversight  function  involved  shall  provide  to  the 

25  entity  described  in  subsection  (a)  or  (b)  a  statement  that 
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1  the  protected  health  information  is  being  sought  for  a  le- 

2  gaily  authorized  oversight  function. 

3  (d)  Use  in  Action  Against  Individuals. — Pro- 

4  tected  health  information  about  an  individual  that  is  dis- 

5  closed  under  this  section  may  not  be  used  in,  or  disclosed 

6  to  any  person  for  use  in,  an  administrative,  civil,  or  crimi- 

7  nal  action  or  investigation  directed  against  the  individual 

8  unless  the  action  or  investigation  arises  out  of  and  is  di- 

9  rectly  related  to — 


10  (1)  the  receipt  of  health  care  or  payment  for 

1 1  health  care; 

12  (2)  an  action  involving  a  fraudulent  claim  relat- 

13  ed  to  health;  or 

14  (3)  an  action  involving  oversight  of  a  public 

15  health  authority  or  a  health  researcher. 

16  SEC.  207.  PUBLIC  HEALTH. 

17  A  health  care  provider,  health  plan,  public  health  au- 


18  thority,  employer,  health  or  life  insurer,  law  enforcement 

19  official,  school,  or  university  may  disclose  protected  health 

20  information  to  a  public  health  authority  or  other  person 

21  authorized  by  law  for  use  in  a  legally  authorized — 

22  (1)  disease  or  injury  report; 

23  (2)  public  health  surveillance;  or 

24  (3)  public  health  investigation  or  intervention. 
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1  SEC.  208.  HEALTH  RESEARCH. 

2  (a)  In  General. — A  health  care  provider,  health 

3  plan,  public  health  authority,  employer,  health  or  life  in- 

4  surer,  school,  or  university  may  disclose  protected  health 

5  information  to  a  health  researcher  if — 

6  (1)  the  research  involves  human  subjects  con- 

7  ducted  or  supported  by  any  Federal  department  or 

8  agency  and  the  researcher  complies  with  the  com- 

9  mon  rule; 

10  (2)  the  research  is  a  clinical  investigation  in- 

11  volving  human  subjects  and  the  researcher  follows 

12  the  regulations  of  the  Food  and  Drug  Administra- 

13  tion  governing  confidentiality  procedures;  or 

14  (3)  the  research  is  not  subject  to  the  Federal 

15  Policy  for  the  Protection  of  Human  Subjects. 

16  (b)  Periodic  Review  and  Technical  Assistance 

17  OF  Institutional  Review  Boards  Involved  With 

18  THE  Federal  Policy  for  Protection  of  Human 

19  Subjects. — 

20  (1)  Institutional  review  board. — ^Any  in- 

21  stitutional  review  board  that  authorizes  research 

22  under  this  section  pursuant  to  the  common  rule  shall 

23  keep  records  of  the  names  and  addresses  of  all  mem- 

24  bers  who  participate  in  such  authorizations  for  pos- 

25  sible  review  or  audit. 
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1  (2)  Technical  assistance. — The  Secretary 

2  may  provide  technical  assistance  to  institutional  re- 

3  view  boards  described  in  this  section. 

4  (3)  Monitoring. — The  Secretary  shall  periodi- 

5  cally  monitor  institutional  review  boards  described  in 

6  this  section. 

7  (4)  Reports. — Not  later  than  3  years  after  the 

8  date  of  enactment  of  this  Act,  the  Secretary  shall  re- 

9  port  to  Confess  regarding  the  activities  of  institu- 

10  tional  review  boards  described  in  this  section. 

11  (c)  Review  of  the  Common  Rule  by  the  Sec- 

12  RETARY. — The  Secretary  shall  review  the  requirements  of 

13  the  common  rale  pertaining  to  the  privacy  of  protected 

14  health  information  and  shall  promulgate  any  amendments 

15  to  the  common  rale  that  may  be  necessary  to  ensure  the 

16  confidentiality  of  such  information. 

17  (d)  Recommendations  With  Respect  to  Pri- 

18  VACY. — 

19  (1)  In  general. — Not  later  than  the  date  that 

20  is  12  months  after  the  date  of  the  enactment  of  this 

21  Act,  the  Secretary  shall  submit  to  the  Committee  on 

22  Labor  and  Human  Resources  of  the  Senate  detailed 

23  recommendations  on  standards  with  respect  to  the 

24  privacy  of  individually  identifiable  health  information 

25  in  research  described  in  subsection  (a)(3). 
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1  (2)  Rule  of  construction. — ^In  formulating 

2  the  recommendations  under  paragraph  (1),  the  Sec- 

3  retary  shall  consider  the  findings  of  the  National 

4  Bioethies  Advisory  Commission  and  the  results  of 

5  the  General  Accounting  Office  report  authorized  by 

6  section  402. 

7  (3)   Regulations. — If  legislation  governing 

8  standards  with  respect  to  the  privacy  of  individually 

9  identifiable  health  information  transmitted  in  con- 

10  nection  with  research  described  in  subsection  (a)(3) 

11  is  not  enacted  by  the  date  that  is  24  months  after 

12  the  date  of  the  enactment  of  this  Act,  the  Secretary 

13  shall  promulgate  final  regulations  containing  such 

14  standards  not  later  than  the  date  that  is  30  months 

15  after  the  date  of  the  enactment  of  this  Act. 

16  SEC.  209.  DISCLOSURE  IN  CIVIL,  JUDICIAL,  AND  ADMINIS- 

17  TRATIVE  PROCEDURES. 

18  (a)  In  General. — ^A  health  care  provider,  health 

19  plan,  public  health  authority,  employer,  health  or  life  in- 

20  surer,  law  enforcement  official,  school,  or  university  may 

21  disclose  protected  health  information  pursuant  to  a  discov- 

22  ery  request  or  subpoena  in  a  civil  action  brought  in  a  Fed- 

23  eral  or  State  court  or  a  request  or  subpoena  related  to 

24  a  Federal  or  State  administrative  proceeding,  but  only  if 
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1  the  disclosure  is  made  pursuant  to  a  court  order  as  pro- 

2  vided  for  in  subsection  (b). 

3  (b)  Court  Orders. — 

4  (1)  Standard  for  issuance. — In  considering 

5  a  request  for  a  court  order  regarding  the  disclosure 

6  of  protected  health  information  under  subsection  (a), 

7  the  court  shall  issue  such  order  if  the  court  deter- 

8  mines  that  without  the  disclosure  of  such  informa- 

9  tion,  the  person  requesting  the  order  would  be  im- 

10  paired  from  establishing  a  claim  or  defense. 

11  (2)  Requirements. — ^An  order  issued  under 

12  paragraph  (1)  shall — 

13  (A)  provide  that  the  protected  health  infor- 

14  mation  involved  is  subject  to  court  protection; 

15  (B)  specify  to  whom  the  information  may 

16  be  disclosed; 

17  (C)  specify  that  such  information  may  not 

18  otherwise  be  disclosed  or  used;  and 

19  (D)  meet  any  other  requirements  that  the 

20  court  determines  are  needed  to  protect  the  con- 

21  fidentiality  of  the  information. 

22  (c)  Applicability. — This  section  shall  not  apply  in 

23  a  case  in  which  the  protected  health  information  sought 

24  under  such  discovery  request  or  subpoena — 

25  (1)  is  nonidentifiable  health  information; 
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1  (2)  is  related  to  a  party  to  the  litigation  whose 

2  medical  condition  is  at  issue;  or 

3  (3)  could  be  disclosed  under  any  of  sections  202 

4  through  208,  210,  and  212. 

5  (d)  Effect  of  Section. — This  section  shall  not  be 

6  construed  to  supersede  any  grounds  that  may  apply  under 

7  Federal  or  State  law  for  objecting  to  turning  over  the  pro- 

8  tected  health  information. 

9  SEC.  210.  DISCLOSURE  FOR  LAW  ENFORCEMENT  PUR- 

10  POSES. 

11  (a)  In  General. — health  care  provider,  health 

12  plan,  health  oversight  agency,  employer,  health  or  life  in- 

13  surer,  school,  university,  or  person  who  receives  protected 

14  health  information  pursuant  to  sections  203  through  208, 

15  may  disclose  protected  health  information  under  this  sec- 

16  tion,  except  to  a  health  oversight  agency  governed  by  sec- 

17  tion  206,  if  the  disclosure  is  pursuant  to — 


18  (1)  a  subpoena  issued  under  the  authority  of  a 

19  grand  jury; 

20  (2)  an  administrative  subpoena  or  summons  or 

21  judicial  subpoena  or  warrant;  or 

22  (3)  a  Federal  or  State  law  requiring  the  report- 

23  ing  of  specific  medical  information  to  law  enforce- 

24  ment  authorities. 
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1  (b)  Probable  Cause. — subpoena  or  summons  for 

2  a  disclosure  under  paragraph  (1)  or  (2)  of  subsection  (a) 

3  shall  only  be  issued  if  the  law  enforcement  agency  involved 

4  shows  that  there  is  probable  cause  to  believe  that  the  in- 

5  formation  is  relevant  to  a  legitimate  law  enforcement  in- 

6  quiry. 

7  (c)  Destruction  or  Return  of  Information. — 

8  When  the  matter  or  need  for  which  protected  health  infor- 

9  mation  was  disclosed  to  a  law  enforcement  agency  or 

10  grand  jury  under  subsection  (a)  has  concluded,  including 

1 1  any  derivative  matters  arising  from  such  matter  or  need, 

12  the  law  enforcement  agency  or  grand  jury  shall  either  de- 

13  stroy  the  protected  health  information,  or  return  it  to  the 

14  person  from  whom  it  was  obtained. 

15  (d)  Redactions. — To  the  extent  practicable,  and 

16  consistent  with  the  requirements  of  due  process,  a  law  en- 

17  forcement  agency  shall  redact  personally  identifying  infor- 

18  mation  from  protected  health  information  prior  to  the 

19  public  disclosure  of  such  protected  information  in  a  judi- 

20  cial  or  administrative  proceeding. 

21  (e)  Use  of  Information. — ^Protected  health  infor- 

22  mation  obtained  by  a  law  enforcement  agency  pursuant 

23  to  this  section  may  only  be  used  for  purposes  of  a  legiti- 

24  mate  law  enforcement  activity. 
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1  (f)  Exclusion  of  Evidence. — If  protected  health 

2  information  is  obtained  without  meeting  the  requirements 

3  of  paragraphs  (1),  (2),  and  (3)  of  subsection  (a),  any  such 

4  information  that  is  unlawfully  obtained  shall  be  excluded 

5  from  court  proceedings  unless  the  defendant  requests  oth- 

6  erwise. 

7  SEC.  211.  DISCLOSURES  FOR  POSTMARKETING  ADVERSE 

8  EXPERffiNCE  REPORTING  FOR  HUMAN  DRUG 

9  AND  LICENSED  BIOLOGICAL  PRODUCTS. 

10  (a)  Adverse  Experience  Reports. — 

11  (1)  In  GENERAL. — Pursuant  to  the  regulations 

12  of  the  Food  and  Drug  Administration  at  sections 

13  310.305,  314.80,  and  600.80  of  title  21,  Code  of 

14  Federal  Regulations,  manufacturers,  packers,  and 

15  distributors  of  approved  new  drug  applications,  ab- 

16  breviated  new  drug  applications,  antibiotic  applica- 

17  tions,  marketed  prescription  of  drugs  for  human  use, 

18  and  approved  biologic  product  license  apphcations 

19  shall  report  adverse  experiences  in  accordance  with 

20  such  section. 

21  (2)  No  IDENTIFICATION  OF  PATIENTS. — In  ac- 

22  cordance  with  the  August  1997  Guidance  for  Indus- 

23  try  of  the  Food  and  Drug  Administration,  patients 

24  shall  not  be  identified  by  name,  address,  or  social  se- 

25  curity  number  in  any  report  described  in  paragraph 
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1  (1).  The  manufacturer,  packer,  or  distributor  in- 

2  volved  shall  assign  a  code  for  a  patient  in  each  such 

3  report. 

4  (3)  NON  LIABILITY  UNDER  ACT. — manufac- 

5  turer,  packer,  or  distributor  who  submits  an  adverse 

6  report  in  accordance  with  this  subsection  and  the 

7  regulations  described  in  paragraph  (1)  shall  not  be 

8  '  liable  under  this  Act. 

9  (b)  Rule  of  Construction. — ^An  adverse  experi- 

10  ence  report  written  in  accordance  with  the  regulations  de- 

1 1  scribed  in  subsection  (a)  shall  be  deemed  to  be  a  disclosure 

12  of  non-identifiable  information  under  this  Act. 

13  SEC.  212.  PAYMENT  CARD  AND  ELECTRONIC  PAYMENT 

14  TRANSACTION. 

15  (a)  Payment  for  Health  Care  Through  Card 

16  OR  Electronic  Means. — If  an  individual  pays  for  health 

17  care  by  presenting  a  debit,  credit,  or  other  payment  card 

18  or  account  number,  or  by  any  other  electronic  payment 

19  means,  the  entity  receiving  payment  may  disclose  to  a  per- 

20  son  described  in  subsection  (b)  only  such  protected  health 

21  information  about  the  individual  as  is  necessary  for  the 

22  processing  of  the  payment  transaction  or  the  billing  or  col- 

23  lection  of  amounts  charged  to,  debited  from,  or  otherwise 

24  paid  by,  the  individual  using  the  card,  number,  or  other 

25  electronic  means. 

•S  578  IS 


52 

1  (b)  Transaction  Processing. — person  who  is  a 

2  debit,  credit,  or  other  payment  card  issuer,  or  is  otherwise 

3  directly  involved  in  the  processing  of  payment  transactions 

4  involving  such  cards  or  other  electronic  payment  trans- 

5  actions,  or  is  otherwise  directly  involved  in  the  billing  or 

6  collection  of  amounts  paid  through  such  means,  may  use 

7  or  disclose  protected  health  information  about  an  individ- 

8  ual  that  has  been  disclosed  in  accordance  with  subsection 

9  (a)  only  when  necessary  for — 


10  (1)  the  authorization,  settlement,  billing  or  col- 
li lection  of  amounts  charged  to,  debited  from,  or  oth- 

12  erwise  paid  the  individual  using  a  debit,  credit,  or 

13  other  payment  card  or  account  number,  or  by  other 

14  electronic  payment  means; 

15  (2)  the  transfer  of  receivables,  accounts,  or  in- 

16  terest  therein; 

17  (3)  the  audit  of  the  debit,  credit,  or  other  pay- 

18  ment  card  account  information; 

19  (4)  comphance  with  Federal,  State,  or  local  law, 

20  or 

21  (5)  comphance  with  a  properly  authorized  civil, 

22  criminal,  or  regulatory  investigation  by  Federal, 

23  State,  or  local  authorities  as  governed  by  the  re- 

24  quirements  of  this  section. 
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1  SEC.  213.  STANDARDS  FOR  ELECTRONIC  DISCLOSURES. 

2  The  Secretary  shall  promulgate  standards  for  disclos- 

3  ing,  authorizing,  and  authenticating,  protected  health  in- 

4  formation  in  electronic  form  consistent  with  this  title. 

5  SEC.  214.  INDIVIDUAL  REPRESENTATIVES. 

6  (a)  In  General. — ^Except  as  provided  in  subsections 

7  (b)  and  (c),  a  person  who  is  authorized  by  law  (based  on 

8  grounds  other  than  the  individual  being  a  minor),  or  by 

9  an  instrument  recognized  under  law,  to  act  as  an  agent, 

10  attorney,  proxy,  or  other  legal  representative  of  a  pro- 

11  teeted  individual,  may,  to  the  extent  so  authorized,  exer- 

12  eise  and  discharge  the  rights  of  the  individual  under  this 

13  Act. 

14  (b)  Health  Care  Power  of  Attorney. — ^A  person 

15  who  is  authorized  by  law  (based  on  grounds  other  than 

16  being  a  minor),  or  by  an  instrument  recognized  under  law, 

17  to  make  decisions  about  the  provision  of  health  care  to 

18  an  individual  who  is  incapacitated,  may  exercise  and  dis- 

19  charge  the  rights  of  the  individual  under  this  Act  to  the 

20  extent  necessary  to  effectuate  the  terms  or  purposes  of 

21  the  grant  of  authority. 

22  (c)  No  Court  Declaration. — If  a  health  care  pro- 

23  vider  determines  that  an  individual,  who  has  not  been  de- 

24  clared  to  be  legally  incompetent,  suffers  from  a  medical 

25  condition  that  prevents  the  individual  from  acting  know- 

26  ingly  or  effectively  on  the  individual's  own  behalf,  the  right 
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1  of  the  individual  to  authorize  disclosure  under  this  Act 

2  may  be  exercised  and  discharged  in  the  best  interest  of 

3  the  individual  by — 

4  (1)  a  person  described  in  subsection  (b)  with  re- 

5  spect  to  the  individual; 

6  (2)  a  person  described  in  subsection  (a)  with  re- 

7  spect  to  the  individual,  but  only  if  a  person  de- 

8  scribed  in  paragraph  (1)  cannot  be  contacted  after 

9  a  reasonable  effort; 

10  (3)  the  next  of  kin  of  the  individual,  but  only 

11  if  a  person  described  in  paragraph  (1)  or  (2)  cannot 

12  be  contacted  after  a  reasonable  effort;  or 

13  (4)  the  health  care  provider,  but  only  if  a  per- 

14  son  described  in  paragraph  (1),  (2),  or  (3)  cannot  be 

15  contacted  after  a  reasonable  effort. 

16  (d)  Application  to  Deceased  Individuals. — The 

17  provisions  of  this  Act  shall  continue  to  apply  to  protected 

18  health  information  concerning  a  deceased  individual  for  a 

19  period  of  2 -years  following  the  death  of  that  individual. 

20  (e)  Exercise  of  Rights  on  Behalf  of  a  De- 

21  ceased  Individual. — ^A  person  who  is  authorized  by  law 

22  or  by  an  instrument  recognized  under  law,  to  act  as  an 

23  executor  of  the  estate  of  a  deceased  individual,  or  other- 

24  wise  to  exercise  the  rights  of  the  deceased  individual,  may, 

25  to  the  extent  so  authorized,  exercise  and  discharge  the 
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1  rights  of  such  deceased  individual  under  this  Act  for  a  pe- 

2  riod  of  2 -years  following  the  death  of  that  individual.  If 

3  no  such  designee  has  been  authorized,  the  rights  of  the 

4  deceased  individual  may  be  exercised  as  provided  for  in 

5  subsection  (c). 

6  SEC.  215.  LIMITED  LIABILITY  FOR  LAW  ENFORCEMENT  OF- 

7  FICERS. 

8  Federal  and  State  law  enforcement  officers  shall  not 

9  be  personally  liable  for  violations  of  this  Act  unless  it  is 

10  shown  that  the  violation  was  a  result  of  intentional  con- 

11  duct  committed  with  the  intent  to  sell,  transfer,  or  use 

12  protected  health  information  for  commercial  advantage, 

13  personal  gain,  or  malicious  harm. 

1 4  SEC.  216.  NO  LIABILITY  FOR  PERMISSIBLE  DISCLOSURES. 

15  A  health  care  provider,  health  plan,  health  oversight 

16  agency,  health  researcher,  public  health  authority,  law  en- 

17  forcement  official,  employer,  health  or  hfe  insurer,  school, 

18  or  university  who  makes  a  disclosure  of  protected  health 

19  information  about  an  individual  that  is  permitted  by  this 

20  Act  shall  not  be  liable  to  the  individual  for  such  disclosure 

21  under  common  law. 
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1  TITLE  III— SANCTIONS 

2  Subtitle  A — Criminal  Provisions 

3  SEC.    301.    WRONGFUL    DISCLOSURE    OF  PROTECTED 

4  HEALTH  DEFORMATION. 

5  (a)  In  General. — Part  I  of  title  18,  United  States 


6  Code,  is  amended  by  adding  at  the  end  the  following: 

7  "CHAPTER  124— WRONGFUL  DISCLOSURE 

8  OF  PROTECTED  HEALTH  INFORMATION 

"Sec. 

"2801.  Wrongful  disclosure  of  protected  health  information. 

9  "§2801.  Wrongful  disclosure  of  protected  health  in- 


10  formation 

11  "(a)  Offense. — The  penalties  described  in  sub- 

12  section  (b)  shaU  apply  to  a  person  that  knowingly  and 

13  intentionally — 

14  "(1)  obtains  protected  health  information  relat- 

15  ing  to  an  individual  in  violation  of  title  II  of  the 

16  Health  Care  PIN  Act; 

17  "(2)  discloses  protected  health  information  to 

18  another  person  in  violation  of  title  II  of  the  Health 

19  Care  PIN  Act;  or 

20  "(3)  uses  protected  health  information  in  viola- 

21  tion  of  title  II  of  the  Health  Care  PIN  Act. 

22  "(b)  Penalties. — ^A  person  described  in  subsection 

23  (a)  shall— 
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1  "(1)  be  fined  not  more  than  $50,000,  impris- 

2  oned  not  more  than  1  year,  or  both; 

3  "(2)  if  the  offense  is  conmiitted  under  false  pre- 

4  tenses,  be  fined  not  more  than  $250,000,  imprisoned 

5  not  more  than  5  years,  or  any  combination  of  such 

6  penalties; 

7  "(3)  if  the  offense  is  committed  with  the  intent 
-8  to  sell,  transfer,  or  use  protected  health  information 
9  for  commercial  advantage,  personal  gain,  or  mali- 

10  cious  harm,  be  fined  not  more  than  $500,000,  im- 

11  prisoned  not  more  than  10  years,  excluded  from  par- 

12  ticipation  in  any  federally  funded  health  care  pro- 

13  grams,  or  any  combination  of  such  penalties. 

14  "(c)  Subsequent  Offenses. — In  the  case  of  a  per- 

15  son  described  in  subsection  (a),  the  maximum  penalties 

16  described  in  subsection  (b)  shall  be  doubled  for  every  sub- 

17  sequent  conviction  for  an  offense  arising  out  of  a  violation 

18  or  violations  related  to  a  set  of  circumstances  that  are  dif- 

19  ferent  from  those  involved  in  the  previous  violation  or  set 

20  of  related  violations  described  in  such  subsection  (a).". 

21  (b)  Clerical  Amendment. — The  table  of  chapters 

22  for  part  I  of  title  18,  United  States  Code,  is  amended  by 

23  inserting  after  the  item  relating  to  chapter  123  the  follow- 

24  ing  new  item: 

"124.  Wrongful  disclosure  of  protected  health  information    2801". 
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1  SEC.  302.  DEBARMENT  FOR  CRIMES. 

2  (a)  Purpose. — The  purpose  of  this  section  is  to  pro- 

3  mote  the  prevention  and  deterrence  of  instances  of  inten- 

4  tional  criminal  actions  which  violate  criminal  laws  which 

5  are  designed  to  safeguard  the  protected  health  information 

6  in  a  manner  consistent  with  this  Act. 

7  (b)  Debarment. — Not  later  than  270  days  after  the 

8  effective  date  of  this  Act,  the  Attorney  General,  in  con- 

9  sultation  with  the  Secretary,  shall  promulgate  regulations 

10  and  estabhsh  procedures  to  permit  the  debarment  of 

1 1  health  care  providers,  health  researchers,  health  or  life  in- 

12  surers,  or  schools  or  universities  from  receiving  benefits 

13  under  any  Federal  health  programs  if  the  managers  or 

14  officers  of  such  entities  are  found  guilty  of  violating  sec- 

15  tion  2801  of  title  18,  United  States  Code,  have  civil  pen- 

16  alties  imposed  against  such  officers  or  managers  under 

17  section  311  in  connection  with  the  illegal  disclosure  of  pro- 

18  tected  health  information,  or  are  found  guilty  of  making 

19  a  false  statement  or  obstructing  justice  related  to  attempt- 

20  ing  to  conceal  or  concealing  such  illegal  disclosure.  Such 

21  regulations  shall  take  into  account  the  need  for  continuity 

22  of  medical  care  and  may  provide  for  a  delay  of  any  debar- 

23  ment  imposed  under  this  section  to  take  into  account  the 

24  medical  needs  of  patients. 

25  (c)  Consultation. — Before  publishing  a  proposed 

26  rule  to  implement  subsection  (b),  the  Attorney  General 
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1  shall  consult  with  State  law  enforcement  officials,  health 

2  care  providers,  patient  privacy  rights'  advocates,  and  other 

3  appropriate  individuals  and  entities,  to  gain  additional  in- 

4  formation  regarding  the  debarment  of  entities  under  sub- 

5  section  (b)  and  the  best  methods  to  ensure  the  continuity 

6  of  medical  care. 

7  (d)  Report. — The  Attorney  General  shall  annually 

8  prepare  and  submit  to  the  Committee  on  the  Judiciary  of 

9  the  House  of  Representatives  and  the  Committee  on  the 

10  Judiciary  of  the  Senate  a  report  concerning  the  activities 

11  and  debarment  actions  taken  by  the  Attorney  General 

12  under  this  section. 

13  (e)  Assistance  To  Prevent  Criminal  Viola- 

14  TIONS. — The  Attorney  General,  in  cooperation  with  any 

15  other  appropriate  individual,  organization,  or  agency,  may 

16  provide  advice,  training,  technical  assistance,  and  guid- 

17  ance  regarding  ways  to  reduce  the  incidence  of  improper 

18  disclosure  of  protected  health  information. 

19  (f)  Relationship  to  Other  Authorities. — ^A  de- 

20  barment  imposed  under  this  section  shall  not  reduce  or 

21  diminish  the  authority  of  a  Federal,  State,  or  local  govern- 

22  mental  agency  or  court  to  penahze,  imprison,  fine,  sus- 

23  pend,  debar,  or  take  other  adverse  action  against  a  person, 

24  in  a  civil,  criminal,  or  administrative  proceeding. 
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1  Subtitle  B — Civil  Sanctions 

2  SEC.  311.  CIVIL  PENALTY. 

3  (a)  Violation. — A  health  care  provider,  health  re- 

4  searcher,  health  plan,  health  oversight  agency,  public 

5  health  agency,  law  enforcement  agency,  employer,  health 

6  or  life  insurer,  school,  or  university,  or  the  agent  of  any 

7  such  individual  or  entity,  who  the  Secretary,  in  consulta- 

8  tion  with  the  Attorney  General,  determines  has  substan- 

9  tially  and  materially  failed  to  comply  with  this  Act  shall 

10  be  subject,  in  addition  to  any  other  penalties  that  may 

11  be  prescribed  by  law — 

12  (1)  in  a  case  in  which  the  violation  relates  to 

13  title  I,  to  a  civil  penalty  of  not  more  than  $500  for 

14  each  such  violation,  but  not  to  exceed  $5,000  in  the 

15  aggregate  for  multiple  violations; 

16  (2)  in  a  case  in  which  the  violation  relates  to 

17  title  II,  to  a  civil  penalty  of  not  more  than  $10,000 

18  for  each  such  violation,  but  not  to  exceed  $50,000 

19  in  the  aggregate  for  multiple  violations;  or 

20  (3)  in  a  case  in  which  the  Secretary  finds  that 

21  such  violations  have  occurred  with  such  frequency  as 

22  to  constitute  a  general  business  practice,  to  a  civil 

23  penalty  of  not  more  than  $100,000. 

24  (b)  Procedures  for  Imposition  of  Penalties. — 

25  Section  1128A  of  the  Social  Security  Act,  other  than  sub- 
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1  sections  (a)  and  (b)  and  the  second  sentence  of  subsection 

2  (f)  of  that  section,  shall  apply  to  the  imposition  of  a  civil, 

3  monetary,  or  exclusionary  penalty  under  this  section  in  the 

4  same  manner  as  such  provisions  apply  with  respect  to  the 

5  imposition  of  a  penalty  under  section  1128A  of  such  Act. 

6  SEC.  312.  PROCEDURES  FOR  IMPOSITION  OF  PENALTIES. 

7  (a)  Initiation  of  Proceedings. — 

8  (1)  In  general. — The  Secretary,  in  consulta- 

9  tion  with  the  Attorney  General,  may  initiate  a  pro- 

10  ceeding  to  determine  whether  to  impose  a  civil 

11  money  penalty  under  section  311.  The  Secretary 

12  may  not  initiate  an  action  under  this  section  with  re- 

13  spect  to  any  violation  described  in  section  311  after 

14  the  expiration  of  the  6 -year  period  beginning  on  the 

15  date  on  which  such  violation  was  alleged  to  have  oe- 

16  curred.  The  Secretary  may  initiate  an  action  under 

17  this  section  by  serving  notice  of  the  action  in  any 

18  manner  authorized  by  Rule  4  of  the  Federal  Rules 

19  of  Civil  Procedure. 

20  (2)  Notice  and  opportunity  for  hear- 

21  ING. — The  Secretary  shall  not  make  a  determination 

22  adverse  to  any  person  under  paragraph  (1)  until  the 

23  person  has  been  given  written  notice  and  an  oppor- 

24  tunity  for  the  determination  to  be  made  on  the 

25  record  after  a  hearing  at  which  the  person  is  entitled 
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1  to  be  represented  by  counsel,  to  present  witnesses, 

2  and  to  cross-examine  witnesses  against  the  person. 

3  (3)  Estoppel. — In  a  proceeding  under  para- 

4  graph  (1)  that — 

5  (A)  is  against  a  person  who  has  been  con- 

6  victed  (whether  upon  a  verdict  after  trial  or 

7  upon  a  plea  of  guilty  or  nolo  contendere)  of  a 

8  crime  under  section  2801  of  title  18,  United 

9  States  Code;  and 

10  (B)  involves  the  same  conduct  as  in  the 

11  criminal  action; 

12  the  person  is  estopped  from  denying  the  essential 

13  elements  of  the  criminal  offense. 

14  (4)  Sanctions  for  failure  to  comply. — 

15  The  official  conducting  a  hearing  under  this  section 

16  may  sanction  a  person,  including  any  party  or  attor- 

17  ney,  for  failing  to  comply  with  an  order  or  proce- 

18  dure,  failing  to  defend  an  action,  or  other  mis- 

19  conduct  as  would  interfere  with  the  speedy,  orderly, 

20  or  fair  conduct  of  the  hearing.  Such  sanction  shall 

21  reasonably  relate  to  the  severity  and  nature  of  the 

22  failure  or  misconduct.  Such  sanction  may  include — 

23  (A)  in  the  case  of  refusal  to  provide  or  per- 

24  mit  discovery,  drawing  negative  factual  infer- 

25  ences  or  treating  such  refusal  as  an  admission 
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1  by  deeming  the  matter,  or  certain  facts,  to  be 

2  established; 

3  (B)  prohibiting  a  party  from  introducing 

4  certain  evidence  or  otherwise  supporting  a  par- 

5  ticular  claim  or  defense; 

6  (C)  striking  pleadings,  in  whole  or  in  part; 

7  (D)  stajdng  the  proceedings; 

8  (E)  dismissal  of  the  action; 

9  (F)  entering  a  default  judgment; 

10  (G)  ordering  the  party  or  attorney  to  pay 

11  attorneys'  fees  and  other  costs  caused  by  the 

12  failure  or  misconduct;  and 

13  (H)  refusing  to  consider  any  motion  or 

14  other  action  which  is  not  filed  in  a  timely  man- 

15  ner. 

16  (b)    Scope   of   Penalty. — ^In   determining  the 

17  amount  or  scope  of  any  penalty  imposed  pursuant  to  sec- 

18  tion  311,  the  Secretary  shall  take  into  account — 

19  (1)  the  nature  of  claims  and  the  circumstances 

20  under  which  they  were  presented; 

21  (2)  the  degree  of  culpability,  history  of  prior  of- 

22  fenses,  and  financial  condition  of  the  person  present- 

23  ing  the  claims;  and 

24  (3)  such  other  matters  as  justice  may  require. 

25  (c)  Review  of  Determination. — 
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1  (1)  In  general. — ^Any  person  adversely  af- 

2  fected  by  a  determination  of  the  Secretary  under 

3  this  section  may  obtain  a  review  of  such  determina- 

4  tion  in  the  United  States  Court  of  Appeals  for  the 

5  circuit  in  which  the  person  resides,  or  in  which  the 

6  claim  was  presented,  by  filing  in  such  court  (within 

7  60  days  following  the  date  the  person  is  notified  of 

8  the  determination  of  the  Secretary)  a  written  peti- 

9  tion  requesting  that  the  determination  be  modified 

10  or  set  aside. 

11  (2)  Filing  of  record. — copy  of  the  petition 

12  filed  under  paragraph  (1)  shall  be  forthwith  trans- 

13  mitted  by  the  clerk  of  the  court  to  the  Secretary, 

14  and  thereupon  the  Secretary  shall  file  in  the  Court 

15  the  record  in  the  proceeding  as  provided  in  section 

16  2112  of  title  28,  United  States  Code.  Upon  such  fil- 

17  ing,  the  court  shall  have  jurisdiction  of  the  proceed- 

18  ing  and  of  the  question  determined  therein,  and 

19  shall  have  the  power  to  make  and  enter  upon  the 

20  pleadings,  testimony,  and  proceedings  set  forth  in 

21  such  record  a  decree  affirming,  modifying,  remand- 

22  ing  for  further  consideration,  or  setting  aside,  in 

23  whole  or  in  part,  the  determination  of  the  Secretary 

24  and  enforcing  the  same  to  the  extent  that  such  order 

25  is  affirmed  or  modified. 
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1  (3)  Consideration  of  objections. — No  ob- 

2  jection  that  has  not  been  raised  before  the  Secretary 

3  with  respect  to  a  determination  described  in  para- 

4  ^aph  (1)  shall  be  considered  by  the  court,  unless 

5  the  failure  or  neglect  to  raise  such  objection  shall  be 

6  excused  because  of  extraordinary  circumstances. 

7  (4)  Findings. — The  findings  of  the  Secretary 

8  with  respect  to  questions  of  fact  in  an  action  under 

9  this  subsection,  if  supported  by  substantial  evidence 

10  on  the  record  considered  as  a  whole,  shall  be  conclu- 

11  sive.  If  any  party  shall  apply  to  the  court  for  leave 

12  to  adduce  additional  evidence  and  shall  show  to  the 

13  satisfaction  of  the  court  that  such  additional  evi- 

14  dence  is  material  and  that  there  were  reasonable 

15  grounds  for  the  failure  to  adduce  such  evidence  in 

16  the  hearing  before  the  Secretary,  the  court  may 

17  order  such  additional  evidence  to  be  taken  before  the 

18  Secretary  and  to  be  made  a  part  of  the  record.  The 

19  Secretary  may  modify  findings  as  to  the  facts,  or 

20  make  new  findings,  by  reason  of  additional  evidence 

21  so  taken  and  filed,  and  shall  file  with  the  court  such 

22  modified  or  new  findings,  and  such  findings  with  re- 

23  spect  to  questions  of  fact,  if  supported  by  substan- 

24  tial  evidence  on  the  record  considered  as  a  whole, 

25  and  the  recommendations  of  the  Secretary,  if  any, 
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1  for  the  modification  or  setting  aside  of  the  original 

2  order,  shall  be  conclusive. 

3  (5)  Exclusive  jurisdiction. — Upon  the  fihng 

4  of  the  record  with  the  court  under  paragraph  (2), 

5  the  jurisdiction  of  the  court  shall  be  exclusive  and  its 

6  judgment  and  decree  shall  be  final,  except  that  the 

7  same  shall  be  subject  to  review  by  the  Supreme 

8  Court  of  the  United  States,  as  provided  for  in  see- 

9  tion  1254  of  title  28,  United  States  Code. 

10  (d)  Recovery  of  Penalties. — 

11  (1)  In  general. — Civil  money  penalties  im- 

12  posed  under  this  subtitle  may  be  compromised  by 

13  the  Secretary  and  may  be  recovered  in  a  civil  action 

14  in  the  name  of  the  United  States  brought  in  United 

15  States  district  court  for  the  district  where  the  claim 

16  was  presented,  or  where  the  claimant  resides,  as  de- 

17  termined  by  the  Secretary.  Amounts  recovered  under 

18  this  section  shall  be  paid  to  the  Secretary  and  depos- 

19  ited  as  miscellaneous  receipts  of  the  Treasury  of  the 

20  United  States. 

21  (2)  Deduction  from  amounts  owing. — The 

22  amount  of  any  penalty,  when  finally  determined 

23  under  this  section,  or  the  amount  agreed  upon  in 

24  compromise  under  paragraph  (1),  may  be  deducted 

25  from  any  sum  then  or  later  owing  by  the  United 
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1  States  or  a  State  to  the  person  against  whom  the 

2  penalty  has  been  assessed. 

3  (e)  Determination  Final. — determination  by 

4  the  Secretary  to  impose  a  penalty  under  section  321  shall 

5  be  final  upon  the  expiration  of  the  60-day  period  referred 

6  to  in  subsection  (c)(1).  Matters  that  were  raised  or  that 

7  could  have  been  raised  in  a  hearing  before  the  Secretary 

8  or  in  an  appeal  pursuant  to  subsection  (c)  may  not  be 

9  raised  as  a  defense  to  a  civil  action  by  the  United  States 

10  to  collect  a  penalty  under  section  311. 

1 1  (f)  Subpoena  Authority. — 

12  (1)  In  general. — For  the  purpose  of  any 

13  hearing,  investigation,  or  other  proceeding  author- 

14  ized  or  directed  under  this  section,  or  relative  to  any 

15  other  matter  within  the  jurisdiction  of  the  Attorney 

16  General  hereunder,  the  Attorney  General,  acting 

17  through  the  Secretary  shall  have  the  power  to  issue 

18  subpoenas  requiring  the  attendance  and  testimony  of 

19  witnesses  and  the  production  of  any  evidence  that 

20  relates  to  any  matter  under  investigation  or  in  ques- 

21  tion  before  the  Secretary.  Such  attendance  of  wit- 

22  nesses  and  production  of  evidence  at  the  designated 

23  place  of  such  hearing,  investigation,  or  other  pro- 

24  ceeding  may  be  required  from  any  place  in  the 
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1  United  States  or  in  any  Territory  or  possession 

2  thereof. 

3  (2)   Service. — Subpoenas  of  the  Secretary 

4  under  paragraph  (1)  shall  be  served  by  anyone  au- 

5  thorized  by  the  Secretary  by  delivering  a  copy  there- 

6  of  to  the  individual  named  therein. 

7  (3)  Proof  of  service. — A  verified  return  by 

8  the  individual  serving  the  subpoena  under  this  sub- 

9  section  setting  forth  the  manner  of  service  shall  be 

10  proof  of  service. 

11  (4)  Fees. — ^Witnesses  subpoenaed  under  this 

12  subsection  shall  be  paid  the  same  fees  and  mileage 

13  as  are  paid  witnesses  in  the  district  court  of  the 

14  United  States. 

15  (5)  Refusal  to  obey. — In  case  of  contumacy 

16  by,  or  refusal  to  obey  a  duly  served  upon,  any  per- 

17  son,  any  district  court  of  the  United  States  for  the 

18  judicial  district  in  which  such  person  charged  with 

19  contumacy  or  refusal  to  obey  is  found  or  resides  or 

20  transacts  business,  upon  application  by  the  Sec- 

21  retary,  shall  have  jurisdiction  to  issue  an  order  re- 

22  quiring  such  person  to  appear  and  give  testimony,  or 

23  to  appear  and  produce  evidence,  or  both.  Any  failure 

24  to  obey  such  order  of  the  court  may  be  punished  by 

25  the  court  as  contempt  thereof. 
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1  (g)  Injunctive  Relief. — Whenever  the  Secretary 

2  has  reason  to  beheve  that  any  person  has  engaged,  is  en- 

3  gaging,  or  is  about  to  engage  in  any  activity  which  makes 

4  the  person  subject  to  a  civil  monetary  penalty  under  sec- 

5  tion  311,  the  Secretary  may  bring  an  action  in  an  appro- 

6  priate  district  court  of  the  United  States  (or,  if  applicable, 

7  a  United  States  court  of  any  territory)  to  enjoin  such  ac- 

8  tivity,  or  to  enjoin  the  person  from  concealing,  removing, 

9  encumbering,  or  disposing  of  assets  which  may  be  required 

10  in  order  to  pay  a  civil  monetary  penalty  if  any  such  pen- 

1 1  alty  were  to  be  imposed  or  to  seek  other  appropriate  relief. 

12  (h)  Agency. — A  principal  is  liable  for  penalties 

13  under  section  311  for  the  actions  of  the  principal's  agent 

14  acting  within  the  scope  of  the  agency. 

15  SEC.  313.  REPORT  ON  USE  OF  EXISTING  ENFORCEMENT 

16  MECHANISMS. 

17  In  addition  to  the  criminal  and  civil  penalties  that 

1 8  may  be  applied  under  this  title,  the  Secretary  shall  prepare 

19  and  submit  to  Congress  a  report  regarding  the  use  of  ex- 

20  isting  Federal,  State  and  other  licensure,  certification  and 

21  regulatory  mechanisms,  including  State  insurance  regula- 

22  tions,  for  the  imposition  of  sanctions  or  penalties  for  the 

23  wrongful  disclosure  of  protected  health  information. 
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1  SEC.  314.  CIVIL  ACTION  BY  INDIVIDUALS. 

2  (a)  In  General. — ^Any  individual  whose  rights  under 

3  this  Act  have  been  knowingly  or  negligently  violated  may 

4  bring  a  civil  action  to  recover — 

5  (1)  such  prehminaiy  and  equitable  relief  as  the 

6  court  determines  to  be  appropriate;  and 

7  (2)  the  greater  of  compensatory  damages  or  liq- 

8  uidated  damages  of  $5,000. 

9  (b)  Punitive  Damages. — In  any  action  brought 

10  under  this  section  in  which  the  individual  has  prevailed 

1 1  because  of  a  knowing  violation  of  a  provision  of  this  Act, 

12  the  court  may,  in  addition  to  any  relief  awarded  under 

13  subsection  (a),  award  such  punitive  damages  as  may  be 

14  appropriate. 

15  (c)  Attorney's  Fees. — In  the  case  of  a  civil  action 

16  brought  under  subsection  (a)  in  which  the  individual  has 

17  substantially  prevailed,  the  court  may  assess  against  the 

18  respondent  a  reasonable  attorney's  fee  and  other  litigation 

19  costs  and  expenses  (including  expert  fees)  reasonably  in- 

20  curred. 

21  (d)  Limitation. — No  action  may  be  commenced 

22  under  this  section  more  than  3  years  after  the  date  on 

23  which  the  violation  was  or  should  reasonably  have  been 

24  discovered. 

•S  578  IS 


71 

1  TITLE  IV— MISCELLANEOUS 

2  SEC.  401.  RELATIONSHIP  TO  OTHER  LAWS. 

3  (a)  State  and  Federal  Law. — 

4  (1)  State  law  enacted  prior  to  effective 

5  DATE. — Nothing  in  this  Act  shall  be  construed  to  su- 

6  persede  any  provision  of  State  law  that  establishes, 

7  implements,  or  continues  in  effect  any  standard  or 

8  requirement  relating  to  the  privacy  of  protected 

9  health  information  if  such  provision  is  enacted  prior 

10  to  the  effective  date  of  this  Act.  Such  laws  shall  not 

11  be  superseded  after  such  effective  date  to  the  extent 

12  that  such  laws  are  at  least  as  protective  of  the  pri- 

13  vacy  of  protected  health  information  as  the  protec- 

14  tions  provided  under  this  Act. 

15  (2)  State  law  enacted  after  effective 

16  DATE. — Except  as  provided  in  subsections  (b)  and 

17  (c),  the  provisions  of  this  Act  shall  preempt  any 

18  State  law  relating  to  the  privacy  of  protected  health 

19  information  if  such  law  is  enacted  after  the  effective 

20  date  of  this  Act. 

21  (3)  Federal  law. — Nothing  in  this  Act  shall 

22  be  construed  as  repealing,  explicitly  or  implicitly, 

23  other  Federal  laws  or  regulations  relating  to  pro- 

24  tected  health  information  or  relating  to  an  individ- 
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1  ual's  access  to  protected  health  information  or 

2  health  care  services. 

3  (b)  Privileges. — Nothing  in  this  title  shall  be  con- 

4  stmed  to  preempt  or  modify  any  provisions  of  State  statu- 

5  tory  or  common  law  to  the  extent  that  such  law  concerns 

6  a  privilege  of  a  witness  or  person  in  a  court  of  that  State. 

7  This  title  shall  not  be  construed  to  supersede  or  modify 

8  any  provision  of  Federal  statutory  or  common  law  to  the 

9  extent  such  law  concerns  a  privilege  of  a  witness  or  person 

10  in  a  court  of  the  United  States.  Authorizations  pursuant 

11  to  sections  202  and  203  shall  not  be  construed  as  a  waiver 

12  of  any  such  privilege. 

13  (c)  Certain  Duties  Under  Law. — Nothing  in  this 

14  title  shall  be  construed  to  preempt,  supersede,  or  modify 

15  the  operation  of  any  State  law  that — 

16  (1)  provides  for  the  reporting  of  vital  statistics 

17  such  as  birth  or  death  information; 

18  (2)  requires  the  reporting  of  abuse  or  neglect 

19  information  about  any  individual; 

20  (3)  relates  to  public  or  mental  health  and  that 

21  prevents  or  otherwise  restricts  disclosure  of  informa- 

22  tion  otherwise  permissible  under  this  Act; 

23  (4)  governs  a  minor's  right  to  access  protected 

24  health  information  or  health  care  services;  or 


•S  578  IS 


73 

1  (5)  authorizes  the  collecting,  analysis,  or  dis- 

2  semination  of  information  from  an  entity  described 

3  in  section  201(a)  for  the  purpose  of  developing  use, 

4  cost  effectiveness,  performance,  or  quality  data. 

5  (d)  Federal  Privacy  Act. — 

6  (1)  Medical  exemptions. — Sections  552a  of 

7  title  5,  United  States  Code,  is  amended  by  adding 

8  at  the  end  thereof  the  following:  "The  head  of  an 

9  agency  that  is  an  entity  described  in  section  311(a) 

10  of  the  Health  Care  PIN  Act  shall  promulgate  rules, 

11  in  accordance  with  the  requirements  (including  gen- 

12  eral  notice)  of  subsections  (b)(1),  (b)(2),  (b)(3),  (c), 

13  and  (e)  of  section  553  of  this  title,  to  exempt  a  sys- 

14  tem  of  records  within  an  agency,  to  the  extent  that 

15  the  system  of  records  contains  protected  health  in- 

16  formation  (as  defined  in  section  4(20)  of  such  Act), 

17  from  all  provisions  of  this  section  except  subsections 

18  (b)(6),  (d),  (e)(1),  (e)(2),  subparagraphs  (A)  and 

19  (C)  and  (E)  through  (I)  of  subsection  (e)(4),  and 

20  subsections  (e)(5),  (e)(6),  (e)(9),  (e)(12),  (1),  (n), 

21  (o),  (p),  (r),  and  (u).". 

22  (2)  Technical       amendment. — Section 

23  552a(f)(3)  of  title  5,  United  States  Code,  is  amend- 

24  ed  by  striking  "pertaining  to  him,"  and  all  that  fol- 
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1  lows  through  the  semicolon  and  inserting  "pertain- 

2  mg  to  the  individual." 

3  (e)  Application  to  Certain  Federal  Agen- 

4  cies. — 

5  (1)  Department  of  defense. — 

6  (A)  Exceptions. — The  Secretary  of  De- 

7  fense  may,  by  regulation,  establish  exceptions  to 

8  the  disclosure  requirements  of  this  Act  to  the 

9  extent  such  Secretary  determines  that  disclo- 

10  sure  of  protected  health  information  relating  to 

11  members  of  the  armed  forces  from  systems  of 

12  records  operated  by  the  Department  of  Defense 

13  is  necessary  under  circumstances  different  from 

14  those  permitted  under  this  Act  for  the  proper 

15  conduct  of  national  defense  functions  by  mem- 

16  bers  of  the  armed  forces. 

17  (B)  Application  to  civilian  employ- 

18  EES. — The  Secretary  of  Defense  may,  by  regu- 

19  lation,  establish  for  civilian  employees  of  the 

20  Department  of  Defense  and  employees  of  De- 

21  partment  of  Defense  contractors,  limitations  on 

22  the  right  of  such  persons  to  revoke  or  amend 

23  authorizations  for  disclosures  under  section  203 

24  when  such  authorizations  were  provided  by  such 

25  employees  as  a  condition  of  employment  and 
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1  the  disclosure  is  determined  necessary  by  the 

2  Secretary  of  Defense  to  the  proper  conduct  of 

3  national  defense  functions  by  such  employees. 

4  (2)  Department  of  transportation. — 

5  (A)    Exceptions. — The    Secretary  of 

6  Transportation  may,  with  respect  to  members 

7  of  the  Coast  Guard,  exercise  the  same  powers 

8  as  the  Secretary  of  Defense  may  exercise  under 

9  paragraph  (1)(A). 

10  (B)  Application  to  civilian  employ- 

11  EES. — The  Secretary  of  Transportation  may, 

12  with  respect  to  civilian  employees  of  the  Coast 

13  Guard  and  Coast  Guard  contractors,  exercise 

14  the  same  powers  as  the  Secretary  of  Defense 

1 5  may  exercise  under  paragraph  ( 1 )  ( B ) . 

16  (3)  Department  of  veterans  affairs. — 

17  The  limitations  on  use  and  disclosure  of  protected 

18  health  information  under  this  Act  shall  not  be  con- 

19  strued  to  prevent  any  exchange  of  such  information 

20  within  and  among  components  of  the  Department  of 

21  Veterans  Affairs  that  determine  eligibility  for  or  en- 

22  titlement  to,  or  that  provide,  benefits  under  laws  ad- 

23  ministered  by  the  Secretary  of  Veteran  Affairs. 
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1  SEC.  402.  EFFECTIVE  DATE. 

2  (a)  Effective  Date. — Except  as  provided  in  sub- 

3  section  (b),  this  Act  shall  take  effect  on  the  date  that  is 

4  18  months  after  the  date  of  enactment  of  this  Act. 

5  (b)  Regulations. — The  Secretary  shall  promulgate 

6  regulations  implementing  this  Act  not  later  than  12 

7  months  after  the  date  of  enactment  of  this  Act. 
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